Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12, JUNOSE 11.3 Configuration Manual

Download

Page 1

JunosE™ Software for E Series™ Broadband Services Routers

Broadband Access Configuration Guide

Release

11.3.x

Published: 2010-10-12

Page 2

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JunosE™ Software for E Series™ Broadband Services Routers Broadband Access Configuration Guide

Writing: Mark Barnard, Diane Florio, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Fran Singer, Poornima Goswami, Chander Aima, Hema Priya J, Krupa Chandrashekar, Subash Babu Asokan, Sairam Venugopalan, Namrata Mehta Editing: Benjamin Mann, Alana Calapai Illustration: Nathaniel Woodward Cover Design: Edmonds Design

Revision History October 2010—FRS JunosE 11.3.x

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

Page 3

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THISAGREEMENT. IF YOU DO NOTOR CANNOT AGREE TO THE TERMSCONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks(Cayman)Limited(if the Customer’s principaloffice is locatedoutside the Americas)(such applicable entity beingreferred to herein as“Juniper”), and (ii)the person ororganizationthat originally purchased from Juniperor an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper oran authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicablefeesand the limitations andrestrictions set forthherein, Juniper grantsto Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitstoCustomer’suse ofthe Software.Such limitsmay restrict use toa maximum number of seats, registeredendpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in anyform, to anythird party; (d)removeany proprietary notices, labels,or marks on or in any copyof the Softwareor anyproduct in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in thesecondhandmarket;(f) use any‘locked’ orkey-restricted feature,function, service, application,operation,or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Page 4

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercialefforts to maintain the Software and associated documentation in confidence, which at a minimum includes restrictingaccess to the Software to Customer employees and contractors havinga need touse the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthataccompaniesthe Software (the “Warranty Statement”). Nothing inthis Agreement shallgive rise to anyobligation tosupport the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS ORPROCUREMENT OFSUBSTITUTE GOODSOR SERVICES,OR FORANYSPECIAL,INDIRECT, ORCONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIED SOFTWARE. IN NOEVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

Page 5

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations ofconfidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embeddedin the Software and any supplier ofJuniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shallhave theright to enforce this Agreement in its own nameas if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Page 6

Page 7

Abbreviated Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . . 111

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Chapter 4 Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 237

Chapter 5 Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Chapter 6 RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Chapter 7 Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Chapter 8 Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Chapter 9 Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Chapter 10 Monitoring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Part 3 Managing L2TP

Chapter 11 L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Chapter 12 Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Chapter 13 Configuring an L2TP LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Chapter 14 Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Chapter 15 L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Chapter 16 Monitoring L2TP and L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Part 4 Managing DHCP

Chapter 17 DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Chapter 18 DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Chapter 19 Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Chapter 20 Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Chapter 21 Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 519

Chapter 22 Monitoring and Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Page 8

JunosE 11.3.x Broadband Access Configuration Guide

Chapter 24 Monitoring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Chapter 25 Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

Chapter 26 Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Chapter 28 Monitoring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Part 7 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

Page 9

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

E Series and JunosE Documentation and Release Notes . . . . . . . . . . . . . . . . . . xxxv

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

E Series and JunosE Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . xxxv

Obtaining Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Remote Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

B-RAS Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Configuring IP Addresses for Remote Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 4

AAA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Remote Access Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

B-RAS Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Remote Access References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Before You Configure B-RAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Remote Access Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring a B-RAS License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Mapping a User Domain Name to a Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Mapping User Requests Without a Valid Domain Name . . . . . . . . . . . . . . . . . 8

Mapping User Requests Without a Configured Domain Name . . . . . . . . . . . . . 9

Using DNIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Redirected Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

IP Hinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Setting Up Domain Name and Realm Name Usage . . . . . . . . . . . . . . . . . . . . . . . . 12

Using the Realm Name as the Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using Delimiters Other Than @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using Either the Domain or the Realm as the Domain Name . . . . . . . . . . . . . 13

Specifying the Domain Name or Realm Name Parse Direction . . . . . . . . . . . . 13

Stripping the Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Domain Name and Realm Name Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Specifying a Single Name for Users from a Domain . . . . . . . . . . . . . . . . . . . . . . . . 16

Configuring RADIUS Authentication and Accounting Servers . . . . . . . . . . . . . . . . 18

Server Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Server Request Processing Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Authentication and Accounting Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Page 10

JunosE 11.3.x Broadband Access Configuration Guide

Supporting Exchange of Extensible Authentication Protocol Messages . . . . 20

Immediate Accounting Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Duplicate and Broadcast Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring AAA Duplicate Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring AAA Broadcast Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Overriding AAA Accounting NAS Information . . . . . . . . . . . . . . . . . . . . . . 22

UDP Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Collecting Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring RADIUS AAA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

SNMP Traps and System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring Local Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Creating the Local Authentication Environment . . . . . . . . . . . . . . . . . . . . . . . 39

Creating Local User Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Adding User Entries to Local User Databases . . . . . . . . . . . . . . . . . . . . . . . . . 40

Using the username Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Using the aaa local username Command . . . . . . . . . . . . . . . . . . . . . . . . 40

Assigning a Local User Database to a Virtual Router . . . . . . . . . . . . . . . . . . . . 41

Enabling Local Authentication on the Virtual Router . . . . . . . . . . . . . . . . . . . . 41

Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Local Authentication Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring Tunnel Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configuring Name Server Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

DNS Primary and Secondary NMS Configuration . . . . . . . . . . . . . . . . . . 50

WINS Primary and Secondary NMS Configuration . . . . . . . . . . . . . . . . . . 52

Configuring Local Address Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Local Address Pool Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Local Address Pool Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

SNMP Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Configuring a Local Address Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Configuring DHCP Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Creating an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Single Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Multiple Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring AAA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Allowing or Denying Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Using Domain Name Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Manually Setting NAS-Port-Type Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Service-Description Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Using RADIUS Route-Download Server to Distribute Routes . . . . . . . . . . . . . . . . 69

Format of Downloaded Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Framed-Route (RADIUS attribute 22) . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Cisco-AVPair (Cisco VSA 26-1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

How the Route-Download Server Downloads Routes . . . . . . . . . . . . . . . . . . 70

Page 11

Table of Contents

Configuring the Route-Download Server to Download Routes . . . . . . . . . . . . 70

Using the AAA Logical Line Identifier to Track Subscribers . . . . . . . . . . . . . . . . . . 74

How the Router Obtains and Uses the LLID . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

RADIUS Attributes in Preauthentication Request . . . . . . . . . . . . . . . . . . . . . . 75

Considerations for Using the LLID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring the Router to Obtain the LLID for a Subscriber . . . . . . . . . . . . . . 76

Troubleshooting Subscriber Preauthentication . . . . . . . . . . . . . . . . . . . . . . . . 79

Using VSAs for Dynamic IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Traffic Shaping for PPP over ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Mapping Application Terminate Reasons to RADIUS Terminate Codes . . . . . . . . 82

Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Configuring Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Limiting Active Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Notifying RADIUS of AAA Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring Standard RADIUS IPv6Attributesfor IPv6 Neighbor Discovery Router

Advertisements and DHCPv6 Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . 88

Duplicate IPv6 Prefix Check Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring Duplicate IPv6 Prefix Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Propagation of LAG Subscriber Information to AAA and RADIUS . . . . . . . . . . . . . 90

Configuring the SRC Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Retrieval of DSL Line Rate Information from Access Nodes Overview . . . . . . . . 100

DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview . . . . . . . . 101

DHCPv6 Prefix Delegation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Order of Preference in Determining the Local Address Pool for Allocating

Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Order of Preference in Allocating Prefixes and Assigning DNS Addresses to

Requesting Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configuring the DHCPv6 Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Limitation on the Number of Prefixes Used by Clients . . . . . . . . . . . . . . . . . . 107

Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Chapter 2 Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . . 111

Setting Baselines for Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Setting a Baseline for AAA Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Setting a Baseline for AAA Route Downloads . . . . . . . . . . . . . . . . . . . . . . . . . 113

Setting a Baseline for COPS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Setting a Baseline for Local Address Pool Statistics . . . . . . . . . . . . . . . . . . . . 113

Setting a Baseline for RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Setting the Baseline for SRC Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

How to Monitor PPP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Monitoring AAA Accounting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Monitoring AAA Accounting Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Monitoring Accounting Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Monitoring Specific Virtual Router Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Monitoring the Default AAA Authentication Method List . . . . . . . . . . . . . . . . . . . 116

Monitoring Domain and Realm Name Delimiters . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Monitoring Mapping Between User Domains and Virtual Routers . . . . . . . . . . . . . 117

Monitoring Tunnel Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Page 12

JunosE 11.3.x Broadband Access Configuration Guide

Monitoring Routing Table Address Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Monitoring the AAA Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Monitoring IP Addresses of Primary and Secondary DNS and WINS Name

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Monitoring AAA Profile Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Monitoring Statistics about the RADIUS Route-Download Server . . . . . . . . . . . . 121

Monitoring Routes Downloaded by the RADIUS Route-Download Server . . . . . . 123

Monitoring Chassis-Wide Routes Downloaded by RADIUS Route-Download

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Monitoring Authentication, Authorization, and Accounting Statistics . . . . . . . . . 126

Monitoring the Number of Active Subscribers Per Port . . . . . . . . . . . . . . . . . . . . . 128

Monitoring the Maximum Number of Active Subscribers Per Virtual Router . . . . 128

Monitoring Session Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Monitoring Interim Accounting for Users on the Virtual Router . . . . . . . . . . . . . . 129

Monitoring Virtual Router Groups Configured for AAA Broadcast Accounting . . . 129

Monitoring Configuration Information for AAA Local Authentication . . . . . . . . . . 130

Monitoring AAA Server Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Monitoring the COPS Layer Over SRC Connection . . . . . . . . . . . . . . . . . . . . . . . . 133

Monitoring Statistics About the COPS Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Monitoring Local Address Pool Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Monitoring Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Monitoring Local Address Pool Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Monitoring Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Monitoring the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Monitoring the B-RAS License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Monitoring the RADIUS Server Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Monitoring RADIUS Override Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Monitoring the RADIUS Rollover Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Monitoring RADIUS Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Monitoring RADIUS Services Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Monitoring RADIUS SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Monitoring RADIUS Accounting for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 148

Monitoring RADIUS UDP Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Monitoring RADIUS Server IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router

Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation . . . . . . . . 149

Monitoring Duplicate IPv6 Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Monitoring SRC Client Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Monitoring SRC Client Connection Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Monitoring the SRC Client Version Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Monitoring Subscriber Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Monitoring Application Terminate Reason Mappings . . . . . . . . . . . . . . . . . . . . . . 159

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By All Configured

Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name . . . . . . . 162

Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation . . . . . . . . . . . . 163

Page 13

Table of Contents

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

RADIUS Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

RADIUS References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Subscriber AAA Access Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Supported RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Supported Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Subscriber AAA Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Supported RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Supported Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Tunnel Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

DSL Forum VSAs in AAA Access and Accounting Messages . . . . . . . . . . . . . . . . 186

CLI AAA Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

CLI Commands Used to Modify RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . 188

RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

[4] NAS-IP-Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

[5] NAS-Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

[8] Framed-IP-Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

[9] Framed-Ip-Netmask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

[13] Framed-Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

[22] Framed-Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

[25] Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

[30] Called-Station-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

[31] Calling-Station-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

[32] NAS-Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

[41] Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

[44] Acct-Session-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

[45] Acct-Authentic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

[49] Acct-Terminate-Cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

[50] Acct-Multi-Session-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

[51] Acct-Link-Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

[52] Acct-Input-Gigawords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

[53] Output-Gigawords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

[55] Event-Timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

[61] NAS-Port-Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

[64] Tunnel-Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

[65] Tunnel-Medium-Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

[66] Tunnel-Client-Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

[67] Tunnel-Server-Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

[68] Acct-Tunnel-Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

[77] Connect-Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

[82] Tunnel-Assignment-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

[83] Tunnel-Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

[87] NAS-Port-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

[90] Tunnel-Client-Auth-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Page 14

JunosE 11.3.x Broadband Access Configuration Guide

[91] Tunnel-Server-Auth-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

[96] Framed-Interface-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

[97] Framed-Ipv6-Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

[99] Framed-Ipv6-Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

[100] Framed-Ipv6-Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

[123] Delegated-Ipv6-Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

[188] Ascend-Num-In-Multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

All Tunnel Server Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Juniper Networks Vendor-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 217

[26-1] Virtual-Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

[26-10] Ingress-Policy-Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

[26-11] Egress-Policy-Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

[26-14] Service-Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

[26-15] PCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

[26-16] SCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

[26-17] MBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

[26-24] Pppoe-Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

[26-35] Acct-Input-Gigapackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

[26-36] Acct-Output-Gigapackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

[26-44] Tunnel-Interface-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

[26-45] Ipv6-Virtual-Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

[26-46] Ipv6-Local-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

[26-47] Ipv6-Primary-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

[26-48] Ipv6-Secondary-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

[26-51] Disconnect-Cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

[26-53] Service-Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

[26-55] DHCP-Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

[26-56] DHCP-MAC-Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

[26-57] DHCP-GI-Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

[26-62] MLPPP-Bundle-Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

[26-63] Interface-Desc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

[26-81] L2C-Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

[26-92] L2C-Up-Stream-Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

[26-93] L2C-Down-Stream-Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

[26-129] Ipv6-NdRa-Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

[26-141] Downstream-Calculated-Qos-Rate . . . . . . . . . . . . . . . . . . . . . 227

[26-142] Upstream-Calculated-Qos-Rate . . . . . . . . . . . . . . . . . . . . . . . 228

[26-143] Max-Clients-Per-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

[26-150] ICR-Partition-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

All IPv6 Accounting Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

[26-159] DHCP-Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

ANCP-Related Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

DSL Forum Vendor-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Including or Excluding Attributes in RADIUS Messages . . . . . . . . . . . . . . . . . 234

Ignoring Attributes When Receiving Access-Accept Messages . . . . . . . . . . 234

Chapter 4 Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 237

RADIUS Dynamic-Request Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

RADIUS Dynamic-Request Server Platform Considerations . . . . . . . . . . . . . . . . 238

Page 15

Table of Contents

RADIUS Dynamic-Request Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

How RADIUS Dynamic-Request Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

RADIUS-Initiated Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Disconnect Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Message Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Supported Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . 240

Qualifications for Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Configuring RADIUS-Initiated Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

RADIUS-Initiated Change of Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Change-of-Authorization Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Message Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Supported Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . 242

Qualifications for Change of Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Configuring RADIUS-Initiated Change of Authorization . . . . . . . . . . . . . . . . . . . . 244

RADIUS Dynamic-Request Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Monitoring RADIUS Dynamic-Request Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Chapter 5 Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

RADIUS Relay Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

RADIUS Relay Server Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 248

RADIUS Relay Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

How RADIUS Relay Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Authentication and Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Terminating the Wireless Subscriber’s Connection . . . . . . . . . . . . . . . . . . . . 250

RADIUS Relay Server and the SRC Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Using the SRC Software for Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Using the SRC Application for Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Configuring RADIUS Relay Server Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Monitoring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Chapter 6 RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

DSL Forum VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Pass Through RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

RADIUS Attributes References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Chapter 7 Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

AAA Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

L2TP Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

PPP Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

RADIUS Client Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Chapter 8 Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Monitoring Override Settings of RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . 303

Monitoring the NAS-Port-Format RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . 304

Monitoring the Calling-Station-Id RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . 305

Page 16

JunosE 11.3.x Broadband Access Configuration Guide

Monitoring the NAS-Identifier RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . 305

Monitoring the Format of the Remote-Circuit-ID for RADIUS . . . . . . . . . . . . . . . 305

Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS . . . . . 306

Monitoring the Acct-Session-Id RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . 306

Monitoring the DSL-Port-Type RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . 306

Monitoring the Connect-Info RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Monitoring the NAS-Port-ID RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Monitoring Included RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Monitoring Ignored RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Setting the Baseline for RADIUS Dynamic-Request Server Statistics . . . . . . . . . 310

Monitoring RADIUS Dynamic-Request Server Statistics . . . . . . . . . . . . . . . . . . . 310

Monitoring the Configuration of the RADIUS Dynamic-Request Server . . . . . . . . 311

Setting a Baseline for RADIUS Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Monitoring RADIUS Relay Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Monitoring the Configuration of the RADIUS Relay Server . . . . . . . . . . . . . . . . . . 314

Monitoring the Status of RADIUS Relay UDP Checksums . . . . . . . . . . . . . . . . . . 315

Monitoring the Status of ICR Partition Accounting . . . . . . . . . . . . . . . . . . . . . . . . 315

Chapter 9 Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

TACACS+ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

AAA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Administrative Login Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Privilege Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

TACACS+ Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

TACACS+ References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Before You Configure TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Configuring TACACS+ Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Configuring Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Chapter 10 Monitoring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Setting Baseline TACACS+ Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Monitoring TACACS+ Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Monitoring TACACS+ Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Part 3 Managing L2TP

Chapter 11 L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

L2TP Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Implementing L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Packet Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

L2TP Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

L2TP Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Sequence of Events on the LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Sequence of Events on the LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

ERX7xx Models, ERX14xx Models, and the ERX310 Router . . . . . . . . . . . . . 340

E120 Router and E320 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Page 17

Table of Contents

Sessions and Tunnels Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

L2TP References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Chapter 12 Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

LAC Configuration Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Modifying L2TP LAC Default Settings for Managing Destinations, Tunnels, and

Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Generating UDP Checksums in Packets to L2TP Peers . . . . . . . . . . . . . . . . . . . . 345

Specifying a Destruct Timeout for L2TP Tunnels and Sessions . . . . . . . . . . . . . 346

Preventing Creation of New Destinations, Tunnels, and Sessions . . . . . . . . . . . . 346

Preventing Creation of New Destinations, Tunnels, and Sessions on the

Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Preventing Creation of New Tunnels and Sessions at a Destination . . . . . . 347

Preventing Creation of New Sessions for a Tunnel . . . . . . . . . . . . . . . . . . . . 347

Specifying a Drain Timeout for a Disconnected Tunnel . . . . . . . . . . . . . . . . . 347

Shutting Down Destinations, Tunnels, and Sessions . . . . . . . . . . . . . . . . . . . . . . 347

Closing Existing and Preventing New Destinations, Tunnels, and Sessions

on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Closing Existing and Preventing New Tunnels and Sessions for a

Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Closing Existing and Preventing New Sessions in a Specific Tunnel . . . . . . 348

Closing a Specific Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Specifying the Number of Retransmission Attempts . . . . . . . . . . . . . . . . . . . . . . 349

Configuring Calling Number AVP Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Calling Number AVP 22 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . 353

Configuring the Fallback Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Disabling the Calling Number AVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Mapping a User Domain Name to an L2TP Tunnel Overview . . . . . . . . . . . . . . . 358

Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel

Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel

Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Configuring the RX Speed on the LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Managing the L2TP Destination Lockout Process . . . . . . . . . . . . . . . . . . . . . . . . 365

Modifying the Lockout Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Verifying That a Locked-Out Destination Is Available . . . . . . . . . . . . . . . . . . 367

Configuring a Lockout Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Unlocking a Destination that is Currently Locked Out . . . . . . . . . . . . . . . . . . 367

Starting an Immediate Lockout Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Managing Address Changes Received from Remote Endpoints . . . . . . . . . . . . . 368

Configuring LAC Tunnel Selection Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Configuring the Failover Between Preference Levels Method . . . . . . . . . . . 369

Configuring the Failover Within a Preference Level Method . . . . . . . . . . . . . 370

Configuring the Maximum Sessions per Tunnel . . . . . . . . . . . . . . . . . . . . . . . 371

Configuring the Weighted Load Balancing Method . . . . . . . . . . . . . . . . . . . . 371

Chapter 13 Configuring an L2TP LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

LNS Configuration Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Configuring an LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Creating an L2TP Destination Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Page 18

JunosE 11.3.x Broadband Access Configuration Guide

Creating an L2TP Host Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Configuring the Maximum Number of LNS Sessions . . . . . . . . . . . . . . . . . . . . . . 378

Configuring the RADIUS Connect-Info Attribute on the LNS . . . . . . . . . . . . . . . . 379

Overriding LNS Out-of-Resource Result Codes 4 and 5 . . . . . . . . . . . . . . . . . . . . 379

Overriding the Result Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Displaying the Current Override Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Selecting Service Modules for LNS Sessions Using MLPPP . . . . . . . . . . . . . . . . 380

Assigning Bundled Group Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Overriding All Endpoint Discriminators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Enabling Tunnel Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Creating Persistent Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Testing Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Managing L2TP Destinations, Tunnels, and Sessions . . . . . . . . . . . . . . . . . . . . . 383

Configuring Disconnect Cause Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Generating the Disconnect Cause AVP Globally . . . . . . . . . . . . . . . . . . . . . . 384

Generating the Disconnect Cause AVP with a Host Profile . . . . . . . . . . . . . 384

Enabling RADIUS Accounting for Disconnect Cause . . . . . . . . . . . . . . . . . . . 385

Displaying Disconnect Cause Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Configuring the Receive Window Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Configuring the Default Receive Window Size . . . . . . . . . . . . . . . . . . . . . . . 386

Configuring the Receive Window Size on the LAC . . . . . . . . . . . . . . . . . . . . 386

Configuring the Receive Window Size on the LNS . . . . . . . . . . . . . . . . . . . . . 387

Configuring Peer Resynchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Configuring Peer ResynchronizationforL2TP HostProfiles andAAA Domain

Map Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Configuring the Global L2TP Peer Resynchronization Method . . . . . . . . . . . 390

Using RADIUS to Configure Peer Resynchronization . . . . . . . . . . . . . . . . . . . 391

Configuring L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Applying the L2TP Tunnel Switch Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configuring L2TP AVPs for Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Enabling Tunnel Switching on the Router . . . . . . . . . . . . . . . . . . . . . . . 394

Configuring L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . . . . . 394

Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps . . . 395

Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups . . 395

Applying Default L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . 396

Applying L2TP Tunnel Switch Profiles by Using RADIUS . . . . . . . . . . . . 397

Configuring the Transmit Connect Speed Calculation Method . . . . . . . . . . . . . . 397

Transmit Connect Speed Calculation Methods . . . . . . . . . . . . . . . . . . . . . . 398

Static Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Dynamic Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Actual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Transmit Connect Speed Calculation Examples . . . . . . . . . . . . . . . . . . . . . . 399

Example 1: L2TP Session over ATM 1483 Interface . . . . . . . . . . . . . . . . 399

Example 2: L2TP Session over Ethernet VLAN Interface . . . . . . . . . . . 400

Page 19

Table of Contents

Transmit Connect Speed Reporting Considerations . . . . . . . . . . . . . . . . . . . 401

Session Termination for Dynamic Speed Timeout . . . . . . . . . . . . . . . . . 401

Advisory Speed Precedence for VLANs over Bridged Ethernet . . . . . . . 401

Using AAA Domain Maps to Configure the Transmit Connect Speed

Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Using AAA Tunnel Groups to Configure the Transmit Connect Speed

Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Using AAA Default Tunnel Parameters to Configure the Transmit Connect

Speed Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Using RADIUS to Configure the Transmit Connect Speed Calculation

Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

PPP Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Stateful Line Module Switchover for LNS Sessions . . . . . . . . . . . . . . . . . . . . . . . 406

Chapter 14 Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

L2TP Dial-Out Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Network Model for Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Dial-Out Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Dial-Out Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Outgoing Call Setup Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Access-Request Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Access-Accept Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Outgoing Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Route Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

L2TP Dial-Out Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

L2TP Dial-Out References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Before You Configure L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Monitoring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Chapter 15 L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Chapter 16 Monitoring L2TP and L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Monitoring the Mapping for User Domains and Virtual Routers with AAA . . . . . 425

Monitoring Configured Tunnel Groups with AAA . . . . . . . . . . . . . . . . . . . . . . . . . 428

Monitoring Configuration of Tunnel Parameters with AAA . . . . . . . . . . . . . . . . . 430

Monitoring Global Configuration Status on E Series Routers . . . . . . . . . . . . . . . . 431

Monitoring Detailed Configuration Information for Specified Destinations . . . . . 433

Monitoring Locked Out Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Monitoring Configured Destination Profiles or Host Profiles . . . . . . . . . . . . . . . . 435

Monitoring Configured and Operational Status of all Destinations . . . . . . . . . . . 438

Monitoring Statistics on the Cause of a Session Disconnection . . . . . . . . . . . . . 438

Monitoring Detailed Configuration Information about Specified Sessions . . . . . 439

Page 20

JunosE 11.3.x Broadband Access Configuration Guide

Monitoring Configured and Operational Summary Status . . . . . . . . . . . . . . . . . . 441

Monitoring Configured Switch Profiles on Router . . . . . . . . . . . . . . . . . . . . . . . . . 441

Monitoring Detailed Configuration Information about Specified Tunnels . . . . . . 442

Monitoring Configured and Operational Status of All Tunnels . . . . . . . . . . . . . . 445

Monitoring Chassis-wide Configuration for L2TP Dial-out . . . . . . . . . . . . . . . . . 446

Monitoring Status of Dial-out Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Monitoring Dial-out Targets within the Current VR Context . . . . . . . . . . . . . . . . . 452

Monitoring Operational Status within the Current VR Context . . . . . . . . . . . . . . 453

Part 4 Managing DHCP

Chapter 17 DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

DHCP Overview Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Session and Resource Control Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

DHCP Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

DHCP References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Configuring the DHCP Access Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Configuring DHCP Proxy Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Logging DHCP Packet Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Viewing and Deleting DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Chapter 18 DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Embedded DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

DHCP Local Server and Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . 465

Equal-Access Mode Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Local Pool Selection and Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . 466

The Connection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Standalone Mode Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Local Pool Selection and Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . 468

Server Management Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

DHCP Local Server Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

DHCP Local Server Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Chapter 19 Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Configuring the DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Basic Configuration of DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Limiting the Number of IP Addresses Supplied by DHCP Local Server . . . . 474

Excluding IP Addresses from Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . 475

Configuring DHCP Local Server to Support Creation of Dynamic Subscriber

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Differentiating Between Clients with the Same Client ID or Hardware

Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Logging Out DHCP Local Server Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . 477

Clearing an IP DHCP Local Server Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

Using SNMP Traps to Monitor DHCP Local Server Events . . . . . . . . . . . . . . 478

Using DHCP Local Server Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

Configuring DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

Basic Configuration of DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . 480

Linking Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Page 21

Table of Contents

Setting Grace Periods for Address Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Configuring AAA Authentication for DHCP Local Server Standalone Mode . . . . 483

Configuring the DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Deleting DHCPv6 Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Configuring the Router to Work with the SRC Software . . . . . . . . . . . . . . . . . . . . 487

Chapter 20 Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Configuring DHCP Relay and BOOTP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Enabling DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Removing Access Routes from Routing Tables and NVS . . . . . . . . . . . . . . . 492

Treating All Packets as Originating at Trusted Sources . . . . . . . . . . . . . . . . . 493

Assigning the Giaddr to Source IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Protecting Against Spoofed Giaddr and Relay Agent Option Values . . . . . . 493

Using the Broadcast Flag Setting to Control Transmission of DHCP Reply

Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Interaction with Layer 2 Unicast Transmission Method . . . . . . . . . . . . . 495

Preventing DHCP Relay from Installing Host Routes by Default . . . . . . . . . 496

Configuration Example—Preventing Installation of Host Routes . . . . . 496

Including Relay Agent Option Values in the PPPoE Remote Circuit ID . . . . . 497

Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Configuring Layer 2 Unicast Transmission Method for Reply Packets to

DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Using Option 60 Strings to Forward Client Traffic to Specific DHCP

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

ConfigurationExample—UsingDHCP Relay Option 60 toSpecify Traffic

Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Relaying DHCP Packets That Originate from a Cable Modem . . . . . . . . . . . 502

Configuring Relay Agent Option 82 Information . . . . . . . . . . . . . . . . . . . . . . 502

Preventing Option 82 Information from Being Stripped from Trusted Client

Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Configuring Relay Agent Information Option (Option 82) Suboption

Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Format of the JunosE Data Field in the Vendor-Specific Suboption for

Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Using the set dhcp relay agent sub-option Command to Enable Option

82 Suboption Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Configuration Example—Using DHCP Relay Option 82 to Pass IEEE

802.1p Values to DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Using the set dhcp relay agent Command to Enable Option 82

Suboption Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Rate of DHCP Client Packets Processed by DHCP Relay Overview . . . . . . . . . . . 514

Manually Configuring the Maximum Rate of Client Packets Processed Per

Second by DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

Configuring the Rate of Client Packets Processed by DHCP Relay . . . . . . . . . . . . 515

Configuring DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Enabling DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Use the First Offer from a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Set a Timeout for DHCP Client Renewal Messages . . . . . . . . . . . . . . . . . . . . 516

Page 22

JunosE 11.3.x Broadband Access Configuration Guide

Managing Host Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Selecting the DHCP Server Response . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Behavior for Bound Clients and Address Renewals . . . . . . . . . . . . . . . . 517

Chapter 21 Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 519

DHCP External Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Preservation of Dynamic Subscriber Interfaces with DHCP External Server

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

DHCP External Server Identification of Clients with Duplicate MAC Addresses

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Configuration Guidelines for Using Duplicate MAC Mode . . . . . . . . . . . . . . . 523

Restrictions for Using Duplicate MAC Mode to Manage Clients . . . . . . . . . . 523

DHCP External Server Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . 524

Enabling and Disabling the DHCP External Server Application . . . . . . . . . . . . . . 524

Monitoring DHCP Traffic Between Remote Clients and DHCP Servers . . . . . . . . 524

Synchronizing the DHCP External Application and the Router . . . . . . . . . . . . . . 525

Configuring Interoperation with Ethernet DSLAMs . . . . . . . . . . . . . . . . . . . . . . . . 525

Configuring the DHCP External Server to Support the Creation of Dynamic

Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Configuring DHCP ExternalServerto Control Preservation ofDynamic Subscriber

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP Relay

and DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Deleting Clients from a Virtual Router’s DHCP Binding Table . . . . . . . . . . . . . . . 529

Configuring DHCP External Server to Uniquely Identify Clients with Duplicate

MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic

Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Chapter 22 Monitoring and Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Setting Baselines for DHCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Setting a Baseline for DHCP Relay and Relay Proxy . . . . . . . . . . . . . . . . . . . 534

Setting a Baseline for DHCP Proxy Server Statistics . . . . . . . . . . . . . . . . . . . 534

Setting a Baseline for DHCP External Server Statistics . . . . . . . . . . . . . . . . . 534

Setting a Baseline for DHCP Local Server Statistics . . . . . . . . . . . . . . . . . . . 535

Monitoring Addresses Excluded from DHCP Local Server Use . . . . . . . . . . . . . . 535

Monitoring DHCP Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536

Monitoring DHCP Binding Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536

Monitoring DHCP Binding Count Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Monitoring DHCP Binding Host Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Monitoring DHCP Bindings (Displaying IP Address-to-MAC Address

Bindings) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Monitoring DHCP Bindings (Displaying DHCP Bindings Based on Binding ID) . . 544

Monitoring DHCP Bindings (Local Server Binding Information) . . . . . . . . . . . . . 545

Monitoring DHCP External Server Configuration Information . . . . . . . . . . . . . . . 546

Monitoring DHCP External Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Monitoring DHCP External Server Duplicate MAC Address Setting . . . . . . . . . . . 548

Monitoring DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Monitoring DHCP Local Server Authentication Information . . . . . . . . . . . . . . . . . 551

Monitoring DHCP Local Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

Page 23

Table of Contents

Monitoring DHCP Local Server Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

Monitoring DHCP Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Monitoring DHCP Option 60 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

Monitoring DHCP Packet Capture Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

Monitoring DHCP Relay Configuration Information . . . . . . . . . . . . . . . . . . . . . . . 559

Monitoring DHCP Relay Proxy Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

Monitoring DHCP Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562

Monitoring DHCP Server and DHCP Relay Agent Statistics . . . . . . . . . . . . . . . . . 565

Monitoring DHCP Server and Proxy Client Information . . . . . . . . . . . . . . . . . . . . 566

Monitoring DHCPv6 Local Server Binding Information . . . . . . . . . . . . . . . . . . . . . 567

Monitoring DHCPv6 Local Server DNS Search Lists . . . . . . . . . . . . . . . . . . . . . . . 567

Monitoring DHCPv6 Local Server DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 568

Monitoring DHCPv6 Local Server Prefix Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . 568

Monitoring DHCPv6 Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients . . . . . 570

Monitoring the Maximum Number of Available Leases . . . . . . . . . . . . . . . . . . . . . 571

Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Monitoring Status of DHCP Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Subscriber Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Subscriber Management Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . 578

Subscriber Management Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Dynamic IP Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Subscriber Management Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Configuring Subscriber Management with an External DHCP Server . . . . . 580

Subscriber Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

Subscriber Management Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . 588

Username with ATM Circuit Identifier and No Circuit Type . . . . . . . . . . . . . . 589

Username with VLAN Circuit Identifier and Circuit Type . . . . . . . . . . . . . . . 589

Username with MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Chapter 24 Monitoring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Monitoring IP Service Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Monitoring Active IP Subscribers Created by Subscriber Management . . . . . . . . 592

Chapter 25 Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

Subscriber Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

Dynamic Interfaces and Dynamic Subscriber Interfaces . . . . . . . . . . . . . . . 596

Relationship to Shared IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Relationship to Primary IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Ethernet Interfaces and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

Moving Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Preventing IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Policies and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Page 24

JunosE 11.3.x Broadband Access Configuration Guide

Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Directing Traffic Toward Special Local Content . . . . . . . . . . . . . . . . . . . 599

Differentiating Traffic for VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600

Subscriber Interfaces Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Interface Specifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

Subscriber Interfaces References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

Dynamic Creation of Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

DHCP Local Server and Address Allocation . . . . . . . . . . . . . . . . . . . . . . 603

DHCP External Server and Address Allocation . . . . . . . . . . . . . . . . . . . 603

DHCP Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Supported Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Packet Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604

Designating Traffic for the Primary IP Interface . . . . . . . . . . . . . . . . . . . . . . 605

Using Framed Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

Inheritance of MAC Address Validation State for Dynamic Subscriber

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

How MAC Address Validation State Inheritance Works . . . . . . . . . . . . 605

Configuration of MAC Address Validation State Inheritance . . . . . . . . 606

Verification of MAC Address Validation State Inheritance . . . . . . . . . . 606

Configuring Static Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607

Using a Destination Address to Demultiplex Traffic . . . . . . . . . . . . . . . . . . . 607

Using a Source Address to Demultiplex Traffic . . . . . . . . . . . . . . . . . . . . . . . 609

Configuring Dynamic Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613

Configuring Dynamic Subscriber Interfaces over Ethernet . . . . . . . . . . . . . . 614

Configuring Dynamic Subscriber Interfaces over VLANs . . . . . . . . . . . . . . . . 614

Configuring Dynamic Subscriber Interfaces over Bridged Ethernet . . . . . . . 616

Configuring Dynamic Subscriber Interfaces over GRE Tunnels . . . . . . . . . . . 617

Dynamic Subscriber Interface Configuration Example . . . . . . . . . . . . . . . . . 618

Chapter 26 Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Monitoring Subscriber Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Monitoring Active IP Subscribers Created by Subscriber Management . . . . . . . 628

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Service Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Service Manager Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Service Manager References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Service Manager Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

Referencing Policies in Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

Service Manager Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

Creating Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Managing Your Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

Page 25

Table of Contents

Referencing QoS Configurations in Service Definitions . . . . . . . . . . . . . . . . . . . . 642

Specifying QoS Profiles in a Service Definition . . . . . . . . . . . . . . . . . . . . . . . 642

Configuring a QoS Profile for Service Manager . . . . . . . . . . . . . . . . . . . 643

Specifying QoS Profiles in a Service Definition . . . . . . . . . . . . . . . . . . . 643

Specifying QoS Parameter Instances in a Service Definition . . . . . . . . . . . . 644

Creating a Parameter Instance in a Profile . . . . . . . . . . . . . . . . . . . . . . . 644

Specifying QoS Parameter Instances in a Service Definition . . . . . . . . 645

Modifying QoS Configurations with Service Manager . . . . . . . . . . . . . . . . . 646

Modifying Parameter Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646

Modifying QoS Configurations in a Single Service Manager Event . . . . 647

Modifying QoS Configurations Using Other Sources . . . . . . . . . . . . . . . 648

Removing QoS Configurations Referenced by Service Manager . . . . . . . . . 649

QoS for Service Manager Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

RADIUS or Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Interoperability with Other Service Components . . . . . . . . . . . . . . . . . 650

QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Configuring the Service Manager License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Managing and Activating Service Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651

Using RADIUS to Manage Subscriber Service Sessions . . . . . . . . . . . . . . . . . . . . 652

Using RADIUS to Activate Subscriber Service Sessions . . . . . . . . . . . . . . . . 653

Service Manager RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653

Using Tags with RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

Using RADIUS to Deactivate Service Sessions . . . . . . . . . . . . . . . . . . . . . . . 657

Setting Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

Using the Deactivate-Service Attribute . . . . . . . . . . . . . . . . . . . . . . . . . 658

Using Mutex Groups to Activate and Deactivate Subscriber Services . . . . . . . . . 658

Activating and Deactivating Multiple Services . . . . . . . . . . . . . . . . . . . . . . . 659

Configuring a Mutex Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Combined andIndependent IPv4 andIPv6 Servicesin a Dual Stack Overview. . 660

Activation and Deactivation of IPv4 and IPv6 Services in a Dual Stack . . . . . . . 662

Independent IPv4 and IPv6 Services in a Dual Stack . . . . . . . . . . . . . . . . . . 662

Combined IPv4 and IPv6 Service in a Dual Stack . . . . . . . . . . . . . . . . . . . . . 662

PerformanceImpact on theRouterand Compatibility with Previous Releases

for an IPv4 and IPv6 Dual Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

Configuring RADIUS Accounting for Service Manager . . . . . . . . . . . . . . . . . . . . . 663

Configuring Service Interim Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664

Service Interim Accounting for IPv4 and IPv6 Services in a Dual Stack

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668

Using the CLI to Manage Subscriber Service Sessions . . . . . . . . . . . . . . . . . . . . 669

Using the CLI to Activate Subscriber Service Sessions . . . . . . . . . . . . . . . . . 669

Preprovisioning Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

Using Service Session Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

Using the CLI to Deactivate Subscriber Service Sessions . . . . . . . . . . . . . . . 675

Gracefully Deactivating Subscriber Service Sessions . . . . . . . . . . . . . . 675

Forcing Immediate Deactivation of Subscriber Service Sessions . . . . . 676

Using Service Session Profiles to Deactivate Service Sessions . . . . . . . 677

Page 26

JunosE 11.3.x Broadband Access Configuration Guide

Configuring Service Manager Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677

Setting Up the Service Definition File for Statistics Collection . . . . . . . . . . . 677

Enabling Statistics Collection with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 679

Enabling Statistics Collection with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 679

External Parent Group Statistics Collection Setup . . . . . . . . . . . . . . . . . . . . 680

Service Manager Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

Service Definition Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682

Tiered Service Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682

Video-on-Demand Service Definition Example . . . . . . . . . . . . . . . . . . . . . . 683

Voice-over-IP Service Definition Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 683

Guided Entrance Service Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684

Guided Entrance Service Definition Example . . . . . . . . . . . . . . . . . . . . . 685

Using CoA Messages with Guided Entrance Services . . . . . . . . . . . . . . 686

Configuring the HTTP Local Server to Support Guided Entrance . . . . . 687

Combined IPv4 and IPv6 Service in a Dual Stack Example . . . . . . . . . . . . . 692

Chapter 28 Monitoring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Setting a Baseline for HTTP Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . 697

Monitoring the Connections to the HTTP Local Server . . . . . . . . . . . . . . . . . . . . 698

Monitoring the Configuration of the HTTP Local Server . . . . . . . . . . . . . . . . . . . 698

Monitoring Statistics for Connections to the HTTP Local Server . . . . . . . . . . . . 699

Monitoring Profiles for the HTTP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

Monitoring the Default Interval for Interim Accounting of Services . . . . . . . . . . . 701

Monitoring the Status of the Service Manager License . . . . . . . . . . . . . . . . . . . . . 701

Monitoring Profiles for Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

Monitoring IPv4 and IPv6 Interfaces for Service Manager . . . . . . . . . . . . . . . . . . 703

Monitoring Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

Monitoring Service Session Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714

Monitoring Active Owner Sessions with Service Manager . . . . . . . . . . . . . . . . . . . 715

Monitoring Active Subscriber Sessions with Service Manager . . . . . . . . . . . . . . . 718

Monitoring the Number of Active Subscriber and Service Sessions with

Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Part 7 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

Page 27

List of Figures

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 1: Local Address Pool Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 2: Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Figure 3: Single PPP Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . 59

Figure 4: Multiple PPP Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . 60

Part 2 Managing RADIUS and TACACS+

Chapter 4 Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 237

Figure 5: Sample Remote Access Network Using RADIUS . . . . . . . . . . . . . . . . . . 238

Chapter 5 Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Figure 6: RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Part 3 Managing L2TP

Chapter 11 L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Figure 7: Using the E Series Router as an LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Figure 8: Using the E Series Router as an LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Chapter 12 Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Figure 9: Lockout States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Chapter 14 Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Figure 10: Network Model for Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Part 4 Managing DHCP

Chapter 18 DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Figure 11: Non-PPP Equal Access via the Router . . . . . . . . . . . . . . . . . . . . . . . . . 468

Chapter 19 Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Figure 12: Non-PPP Equal-Access Configuration Example . . . . . . . . . . . . . . . . . 488

Chapter 20 Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Figure 13: Passing 802.1p Values to the DHCP Server . . . . . . . . . . . . . . . . . . . . . 509

Chapter 21 Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 519

Figure 14: DHCP External Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Page 28

JunosE 11.3.x Broadband Access Configuration Guide

Figure 15: DHCP External Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Chapter 25 Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

Figure 16: Example of a Dynamic Interface Stack . . . . . . . . . . . . . . . . . . . . . . . . 596

Figure 17: Example of a Dynamic Subscriber Interface . . . . . . . . . . . . . . . . . . . . . 597

Figure 18: Subscriber Interfaces over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

Figure 19: Subscriber Interfaces in a Cable Modem Network . . . . . . . . . . . . . . . 600

Figure 20: Associating Subnets with a VPN Using Subscriber Interfaces . . . . . . 601

Figure 21: IP over Ethernet Dynamic Subscriber Interface Configuration . . . . . . 604

Figure 22: Subscriber Interfaces Using a Destination Address to Demultiplex

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Figure 23: Subscriber Interfaces Using a Source Address to Demultiplex

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration . . . . . . . 614

Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

Figure 26: IP over Bridged Ethernet over ATM Dynamic Subscriber Interface

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

Figure 27: GRE Tunnel Dynamic Subscriber Interface Configuration . . . . . . . . . . 618

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Figure 28: Service Manager Configuration Flowchart . . . . . . . . . . . . . . . . . . . . . . 637

Figure 29: Sample Service Definition Macro File . . . . . . . . . . . . . . . . . . . . . . . . . 640

Figure 30: QoS Configuration Dependency Chain . . . . . . . . . . . . . . . . . . . . . . . . 649

Figure 31: Comparing RADIUS Login and RADIUS CoA Methods . . . . . . . . . . . . . 652

Figure 32: Guided Entrance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

Figure 33: Input Traffic Flow with Rate-Limit Profile on an External Parent Group

for a Combined IPv4/IPv6 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693

Figure 34: Output Traffic Flow with Rate-Limit Profile on an External Parent

Group for a Combined IPv4/IPv6 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 693

Page 29

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 3: Username and Domain Name Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Table 4: Local UDP Port Ranges by RADIUS Request Type . . . . . . . . . . . . . . . . . . 19

Table 5: RADIUS IETF Attributes in Preauthentication Request . . . . . . . . . . . . . . . 75

Table 6: VSAs That Apply to Dynamic IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 79

Table 7: Traffic-Shaping VSAs That Apply to Dynamic IP Interfaces . . . . . . . . . . . 81

Table 8: Supported RADIUS Acct-Terminate-Cause Codes . . . . . . . . . . . . . . . . . . 82

Table 9: RADIUS Attributes Specifying LAG Interface . . . . . . . . . . . . . . . . . . . . . . 92

Table 10: SRC Client and COPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Chapter 2 Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . . 111

Table 11: show aaa accounting Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Table 12: show aaa accounting vr-group Output Fields . . . . . . . . . . . . . . . . . . . . . 116

Table 13: show aaa domain-map Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Table 14: show aaa profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Table 15: show aaa route-download Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 122

Table 16: show aaa route-download routes Output Fields . . . . . . . . . . . . . . . . . . 124

Table 17: show aaa route-download routes global Output Fields . . . . . . . . . . . . . 125

Table 18: show aaa statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Table 19: show configuration category aaa global-attributes Output Fields . . . . 130

Table 20: show configuration category aaa local-authentication Output

Table 21: show configuration category aaa server-attributes include-defaults

Table 22: show cops info Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Table 23: show cops statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Table 24: show ip local alias Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Table 25: show ip local pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Table 26: show ip local shared-pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . 140

Table 27: show radius override Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Table 28: show radius servers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Table 29: show radius statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Table 30: show sscc info Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Table 31: show sscc statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Table 32: show subscribers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Page 30

JunosE 11.3.x Broadband Access Configuration Guide

Table 33: show terminate-code Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 34: show ipv6 local pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 35: show ipv6 local pool poolName Output Fields . . . . . . . . . . . . . . . . . . . 162

Table 36: show ipv6 local pool statistics Output Fields . . . . . . . . . . . . . . . . . . . . 164

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Table 37: AAA Access Message RADIUS IETF Attributes Supported . . . . . . . . . . 170

Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs

Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Table 39: AAA Accounting Message RADIUS IETF Attributes Supported . . . . . . . 179

Table 40: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs

Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Table 41: AAA Accounting Tunnel Message RADIUS Attributes Supported . . . . . 185

Table 42: DSL Forum (Vendor ID 3561) VSAs Supported in AAA Access and

Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Table 43: CLI AAA Access Message RADIUS Attributes Supported . . . . . . . . . . . 187

Table 44: ANCP (L2C)-Related Keywords for radius include Command . . . . . . . 231

Chapter 4 Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 237

Table 45: Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . . . . . 240

Table 46: Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . . . . . 242

Chapter 5 Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Table 47: Required RADIUS Access-Request Attributes . . . . . . . . . . . . . . . . . . . 249

Table 48: Required RADIUS Accounting Attributes . . . . . . . . . . . . . . . . . . . . . . . 250

Chapter 6 RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Table 49: RADIUS IETF Attributes Supported by JunosE Software . . . . . . . . . . . 255

Table 50: Juniper Networks (Vendor ID 4874) VSA Formats . . . . . . . . . . . . . . . . 262

Table 51: JunosE Software DSL Forum (Vendor ID 3561) VSA Formats . . . . . . . . 273

Table 52: RADIUS Attribute Passed Through by JunosE Software . . . . . . . . . . . . 274

Chapter 7 Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Table 53: Default AAA Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Table 54: Default L2TP Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Table 55: Default PPP Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Table 56: Default RADIUS Client Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Chapter 8 Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Table 57: show radius override Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Table 58: show radius attributes-included Output Fields . . . . . . . . . . . . . . . . . . 309

Table 59: show radius dynamic-request statistics Output Fields . . . . . . . . . . . . . 311

Table 60: show radius dynamic-request servers Output Fields . . . . . . . . . . . . . . 312

Table 61: show radius relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . 313

Table 62: show radius relay servers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 314

Table 63: show radius relay udp-checksum Output Fields . . . . . . . . . . . . . . . . . . 315

Chapter 9 Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Table 64: TACACS-Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Table 65: TACACS+ Accounting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Page 31

List of Tables

Chapter 10 Monitoring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Table 66: show statistics tacacs Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Table 67: show tacacs Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Part 3 Managing L2TP

Chapter 11 L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Table 68: L2TP Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Chapter 13 Configuring an L2TP LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Table 69: L2TP-Resynch-Method RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . 391

Table 70: Transmit Connect Speeds for L2TP over ATM 1483 Example . . . . . . . 400

Table 71: Transmit Connect Speeds for L2TP over Ethernet Example . . . . . . . . 400

Table 72: Tunnel--Tx-Speed-Method RADIUS Attribute . . . . . . . . . . . . . . . . . . . 404

Chapter 14 Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Table 73: L2TP Dial-Out Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Table 74: Chassis Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Table 75: Virtual Router Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Table 76: Target Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Table 77: Session Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Table 78: Additions to RADIUS Attributes in Access-Accept Messages . . . . . . . . 415

Chapter 15 L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Table 79: PPP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Chapter 16 Monitoring L2TP and L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Table 80: show aaa domain-map Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 426

Table 81: show aaa tunnel-group Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Table 82: show aaa tunnel-parameters Output Fields . . . . . . . . . . . . . . . . . . . . 430

Table 83: show l2tp Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Table 84: show l2tp destination Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Table 85: show l2tp destination lockout Output Fields . . . . . . . . . . . . . . . . . . . . 435

Table 86: show l2tp destination profile Output Fields . . . . . . . . . . . . . . . . . . . . . 436

Table 87: show l2tp destination summary Output Fields . . . . . . . . . . . . . . . . . . 438

Table 88: show l2tp received-disconnect-cause-summary Output Fields . . . . . 439

Table 89: show l2tp session Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Table 90: show l2tp session summary Output Fields . . . . . . . . . . . . . . . . . . . . . . 441

Table 91: show l2tp switch-profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 442

Table 92: show l2tp tunnel Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Table 93: show l2tp tunnel summary Output Fields . . . . . . . . . . . . . . . . . . . . . . 445

Table 94: show l2tp dial-out Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Table 95: show l2tp dial-out session Output Fields . . . . . . . . . . . . . . . . . . . . . . . 451

Table 96: show l2tp dial-out target Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 453

Table 97: show l2tp dial-out virtual-router Output Fields . . . . . . . . . . . . . . . . . . 454

Part 4 Managing DHCP

Chapter 18 DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Table 98: Local Pool Selection in Equal-Access Mode . . . . . . . . . . . . . . . . . . . . . 467

Page 32

JunosE 11.3.x Broadband Access Configuration Guide

Table 99: Local Pool Selection in Standalone Mode Without AAA

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Table 100: Local Pool Selection in Standalone Mode with AAA

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Chapter 20 Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Table 101: Router Configuration and Transmission of DHCP Reply Packets . . . . 495

Table 102: Effect of Commands on Option 82 Suboption Settings . . . . . . . . . . . 504

Chapter 22 Monitoring and Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Table 103: show ip dhcp-local excluded Output Fields . . . . . . . . . . . . . . . . . . . . 535

Table 104: show dhcp binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

Table 105: show dhcp count Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Table 106: show dhcp host Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Table 107: show ip dhcp-external binding Output Fields . . . . . . . . . . . . . . . . . . . 544

Table 108: show ip dhcp-external binding-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

Table 109: show ip dhcp-local binding Output Fields . . . . . . . . . . . . . . . . . . . . . 546

Table 110: show ip dhcp-external configuration Output Fields . . . . . . . . . . . . . . . 547

Table 111: show ip dhcp-external statistics Output Fields . . . . . . . . . . . . . . . . . . . 547

Table 112: show dhcp-external Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Table 113: show ip dhcp-local pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 550

Table 114: show ip dhcp-local auth Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 552

Table 115: show ip dhcp-local Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

Table 116: show ip dhcp-local leases Output Fields . . . . . . . . . . . . . . . . . . . . . . . 554

Table 117: show ip dhcp-local statistics output fields. . . . . . . . . . . . . . . . . . . . . . 555

Table 118: show dhcp vendor-option Output Fields . . . . . . . . . . . . . . . . . . . . . . . 558

Table 119: show ip dhcp-capture Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 558

Table 120: show dhcp relay Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559

Table 121: show dhcp relay proxy statistics Output Fields . . . . . . . . . . . . . . . . . . . 561

Table 122: show dhcp relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . 563

Table 123: show dhcp server statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . 565

Table 124: show dhcp server Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

Table 125: show ipv6 dhcpv6-local binding Output Fields . . . . . . . . . . . . . . . . . . 567

Table 126: show ipv6 dhcpv6-local dns-domain-searchlist Output Fields . . . . . 568

Table 127: show ipv6 dhcpv6-local dns-servers Output Fields . . . . . . . . . . . . . . 568

Table 128: show ipv6 dhcpv6-local prefix-lifetime Output Fields . . . . . . . . . . . . 569

Table 129: show ipv6 dhcpv6-local statistics Output Fields . . . . . . . . . . . . . . . . 569

Table 130: show ip dhcp-local duplicate-clients Output Fields . . . . . . . . . . . . . . 570

Table 131: show ip dhcp-local limits Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 572

Table 132: show ip dhcp-local reserved Output Fields . . . . . . . . . . . . . . . . . . . . . 573

Table 133: show dhcp summary Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Part 5 Managing the Subscriber Environment

Chapter 24 Monitoring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Table 134: show ip service-profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Table 135: show ip-subscriber Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593

Chapter 26 Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Table 136: show ip demux interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 627

Page 33

List of Tables

Table 137: show ip-subscriber Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Table 138: Service Manager Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 634

Table 139: JunosE Objects Tracked by Service Manager . . . . . . . . . . . . . . . . . . . 638

Table 140: Sample Modifications Using the Add and Initial-Value Keywords . . . 646

Table 141: Sample Modifications Using Parameter Instances . . . . . . . . . . . . . . . 647

Table 142: Configuration Within a Single Service Manager Event . . . . . . . . . . . . 647

Table 143: Modifying QoS Configurations with Other Sources . . . . . . . . . . . . . . 648

Table 144: Service Manager RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 654

Table 145: Sample RADIUS Access-Accept Packet . . . . . . . . . . . . . . . . . . . . . . . 655

Table 146: Using Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

Table 147: Service Manager RADIUS Accounting Attributes . . . . . . . . . . . . . . . . 664

Table 148: Determining the Service Interim Accounting Interval . . . . . . . . . . . . . 665

Table 149: Sample Acct-Start Message for a Service Session . . . . . . . . . . . . . . . 666

Table 150: RADIUS-Enabled Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679

Table 151: Deactivating a Guided Entrance Service . . . . . . . . . . . . . . . . . . . . . . . . 687

Chapter 28 Monitoring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Table 152: show ip http scalar Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698

Table 153: show ip http server Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

Table 154: show ip http statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 700

Table 155: show profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

Table 156: show aaa service accounting interval Output Fields . . . . . . . . . . . . . . 701

Table 157: show license service-management Output Fields . . . . . . . . . . . . . . . 702

Table 158: show profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

Table 159: show ip interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705

Table 160: show ipv6 interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708

Table 161: show service-management service-definition Output Fields . . . . . . . . 714

Table 162: show service-management service-session-profile Output Fields . . . 715

Table 163: show service-management owner-session Output Fields . . . . . . . . . 716

Table 164: show service-management subscriber-session Output Fields . . . . . . 719

Table 165: show service-management summary Output Fields . . . . . . . . . . . . . . 721

Page 34

JunosE 11.3.x Broadband Access Configuration Guide

Page 35

About the Documentation

•

E Series and JunosE Documentation and Release Notes on page xxxv

•

Audience on page xxxv

•

E Series and JunosE Text and Syntax Conventions on page xxxv

•

Obtaining Documentation on page xxxvii

•

Documentation Feedback on page xxxvii

•

Requesting Technical Support on page xxxvii

E Series and JunosE Documentation and Release Notes

For a list of related JunosE documentation, see

http://www.juniper.net/techpubs/software/index.html .

If the information in the latest release notes differs from the information in the documentation, follow the JunosE Release Notes.

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

Audience

This guide is intended for experienced system and network specialists working with Juniper Networks E SeriesBroadband Services Routers in an Internet access environment.

E Series and JunosE Text and Syntax Conventions

Table 1 on page xxxvi defines notice icons used in this documentation.

Page 36

JunosE 11.3.x Broadband Access Configuration Guide

Table 1: Notice Icons

Table 2 on page xxxvi defines text and syntax conventions that we use throughout the E Series and JunosE documentation.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2: Text and Syntax Conventions

Representscommandsand keywordsin text.Bold text like this

Fixed-width text like this

Italic text like this

Plus sign (+) linking key names

Syntax Conventions in the Command Reference Guide

Representsinformationas displayedon your terminal’s screen.

•

Emphasizes words.

•

Identifies variables.

•

Identifies chapter, appendix, and book names.

keys simultaneously.

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

host1(config)#traffic class low-loss1Represents text that the user must type.Bold text like this

host1#show ip ospf 2

Routing Process OSPF 2 with Router ID 5.5.0.250

Router is an Area Border Router (ABR)

•

There are two levels of access: user and privileged.

•

clusterId, ipAddress.

•

Appendix A, System Specifications

Press Ctrl + b.Indicates that you must press two or more

terminal lengthRepresents keywords.Plain text like this

mask, accessListNameRepresents variables.Italic text like this

Page 37

Table 2: Text and Syntax Conventions (continued)

About the Documentation

ExamplesDescriptionConvention

| (pipe symbol)

or variable to the left or to the right of this symbol. (The keyword or variable can be either optional or required.)

[ ]* (brackets and asterisk)

that can be entered more than once.

Represent required keywords or variables.{ } (braces)

Obtaining Documentation

To obtain the most current version of all Juniper Networks technical documentation, see the Technical Documentation page on the Juniper Networks Web site at

http://www.juniper.net/.

To download complete sets of technical documentation to create your own documentation CD-ROMs or DVD-ROMs, see the Portable Libraries page at

http://www.juniper.net/techpubs/resources/index.html

diagnostic | lineRepresents a choice to select one keyword

[ internal | external ]Represent optional keywords or variables.[ ] (brackets)

[ level1 | level2 | l1 ]*Represent optional keywords or variables

{ permit | deny } { in | out }

{ clusterId | ipAddress }

Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site athttp://www.juniper.net/.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation to better meet your needs. Send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include

the following information with your comments:

•

Document or topic name

•

URL or page number

•

Software release version

Requesting Technical Support

Technical productsupport isavailable through theJuniper NetworksTechnical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

Page 38

JunosE 11.3.x Broadband Access Configuration Guide

or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verifyservice entitlement by product serialnumber, use ourSerial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html .

Page 39

PART 1

Managing Remote Access

•

Configuring Remote Access on page 3

•

Monitoring and Troubleshooting Remote Access on page 111

Page 40

JunosE 11.3.x Broadband Access Configuration Guide

Page 41

CHAPTER 1

Configuring Remote Access

This chapter describes how to configure remote access to an Juniper Networks E Series Broadband Services Router. This chapter discusses the following topics:

•

Remote Access Overview on page 4

•

Remote Access Platform Considerations on page 5

•

Remote Access References on page 6

•

Before You Configure B-RAS on page 6

•

Remote Access Configuration Tasks on page 6

•

Configuring a B-RAS License on page 7

•

Mapping a User Domain Name to a Virtual Router on page 8

•

Setting Up Domain Name and Realm Name Usage on page 12

•

Specifying a Single Name for Users from a Domain on page 16

•

Configuring RADIUS Authentication and Accounting Servers on page 18

•

Configuring Local Authentication Servers on page 39

•

Configuring Tunnel Subscriber Authentication on page 49

•

Configuring Name Server Addresses on page 50

•

Configuring Local Address Servers on page 52

•

Configuring DHCP Features on page 59

•

Creating an IP Interface on page 59

•

Configuring AAA Profiles on page 61

•

Using RADIUS Route-Download Server to Distribute Routes on page 69

•

Using the AAA Logical Line Identifier to Track Subscribers on page 74

•

Using VSAs for Dynamic IP Interfaces on page 79

•

Mapping Application Terminate Reasons to RADIUS Terminate Codes on page 82

•

Configuring Timeout on page 85

•

Limiting Active Subscribers on page 87

•

Notifying RADIUS of AAA Failure on page 87

•

Configuring Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery Router Advertisements and DHCPv6 Prefix Delegation on page 88

Page 42

JunosE 11.3.x Broadband Access Configuration Guide

•

Duplicate IPv6 Prefix Check Overview on page 89

•

Configuring Duplicate IPv6 Prefix Check on page 90

•

Propagation of LAG Subscriber Information to AAA and RADIUS on page 90

•

Configuring the SRC Client on page 92

•

Retrieval of DSL Line Rate Information from Access Nodes Overview on page 100

•

DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview on page 101

•

Configuring the DHCPv6 Local Address Pools on page 105

•

Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links Example on page 108

Remote Access Overview

Broadband Remote Access Server (B-RAS) is an application running on your router that:

•

Aggregates the output from digital subscriber line access multiplexers (DSLAMs)

•

Providesuser Point-to-Point Protocol (PPP) sessionsor IP-over-AsynchronousTransfer Mode (ATM) sessions

B-RAS Data Flow

•

Enforces quality of service (QoS) policies

•

Routes traffic into an Internet service provider’s (ISP’s) backbone network

A DSLAM collects data traffic from multiple subscribers into a centralized point so that it can be uploaded to the router over an ATM connection via a DS3, OC3, E3, or OC12 link.

The router provides the logical termination for PPP sessions, as well as the interface to authentication and accounting systems.

The router performs several tasks for a digital subscriber line (DSL) PPPuser to establish a PPP connection. This is an example of the way B-RAS data might flow:

1. Authenticate the subscriber using RADIUS authentication.

2. Assign an IP addressto the PPP/IP session via RADIUS,localaddress pools, orDynamic

Host Configuration Protocol (DHCP).

3. Terminate the PPP encapsulation or tunnel a PPP session.

4. Provide user accounting via RADIUS.

NOTE: For information about configuring RADIUS attributes see

“Configuring RADIUS Attributes” on page 167.

Configuring IP Addresses for Remote Clients

A remote client can obtain an IP address from one of the following:

Page 43

AAA Overview

Chapter 1: Configuring Remote Access

•

RADIUS server

•

Local address server

•

DHCP proxy client and server

•

DHCP relay agent (Bridged IP only)

•

DHCP local server

•

DHCP external server

For information about configuring DHCP support on the E Series router, see “DHCP Overview” on page 457.

For information about how to configure a RADIUS server, see your RADIUS server documentation.

Collectively, authentication, authorization, and accounting are referred to as AAA. Each has an important but separate function.

•

Authentication—Determines whothe user is,then determines whether that user should be granted access to the network. The primary purpose is to prevent intruders from networks. It uses a database of users and passwords.

•

Authorization—Determines what the user is allowed to do by giving network managers the ability to limit network services to different users.

•

Accounting—Tracks what the user did and when they did it. You can use accounting for an audit trail or for billing for connection time or resources used.

Central management of AAA means the information is in a single, centralized, secure database, which is much easier to administer than information distributed across numerous devices.

Remote Access Platform Considerations

B-RAS services are supported on all E Series routers.

For information about the modules supported on E Series routers:

•

See the ERXModuleGuide for modulessupportedon ERX7xx models,ERX14xx models, and the ERX310 Broadband Services Router.

•

See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers.

B-RAS Protocol Support

The E Series router supports the following protocols for B-RAS services:

•

PPP

•

PPP over Ethernet (PPPoE)

Page 44

JunosE 11.3.x Broadband Access Configuration Guide

•

Bridged Ethernet

•

Layer 2 Tunneling Protocol (L2TP), both L2TP access concentrator (LAC) and L2TP network server (LNS)

Remote Access References

For more information about the topics covered in this chapter, see the following documents:

•

RFC 2748—The COPS (Common Open Policy Service) Protocol (January 2000)

•

RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)

•

RFC 3084—COPS Usage for Policy Provisioning (COPS-PR) (March 2001)

•

RFC 3159—Structure of Policy Provisioning Information (SPPI) (August 2001)

•

RFC 3198—Terminology for Policy-Based Management (November 2001)

•

RFC 3317—Differentiated Services Quality of Service Policy Information Base (DIFFSERV-PIB)

•

RFC 3318—Framework Policy Information Base (March 2003)

JunosE Release Notes, Appendix A, System Maximums—Refer to the Release Notes corresponding to your software release for information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers.

Before You Configure B-RAS

Before you begin to configure B-RAS, you need to collect the following information for the RADIUS authentication and accounting servers:

•

IP addresses

•

User Datagram Protocol (UDP) port numbers

•

Secret keys

Remote Access Configuration Tasks

Each configuration task is presented in a separate section in this chapter. Most of the B-RAS configuration tasks are optional.

To configure B-RAS, perform the following tasks:

1. Configure a B-RAS license.

2. (Optional) Map a user domain name to a virtual router. By default, all requests go

through a default router.

3. (Optional) Set up domain name and realm name usage.

4. (Optional) Specify a single name for users from a domain.

Page 45

Chapter 1: Configuring Remote Access

5. Configure an authentication server on the router.

6. (Optional) Configure UDP checksums.

7. (Optional) Configure an accounting server on the router.

8. (Optional) Configure Domain Name System (DNS) and Windows Internet Name

Service (WINS) name server addresses.

9. (Optional) Configure a local address pool for remote clients.

10. (Optional) Configure one or more DHCP servers.

11. Create a PPP interface on which the router can dynamically create an IP interface.

12. (Optional) Configure AAA profiles.

13. (Optional) Use vendor-specific attributes (VSAs) for Dynamic Interfaces.

14. (Optional) Set idle or session timeout.

15. (Optional) Limit the number of active subscribers on a virtual router (VR) or port.

16. (Optional) Set up the router to notify RADIUS when a user fails AAA.

17. (Optional) Configure a RADIUS download server on the router.

18. (Optional) Configure the Session and Resource Control (SRC) client (formerly the

SDX client).

19. (Optional) Set baselines for AAA statistics or RADIUS authentication and accounting

statistics.

Configuring a B-RAS License

From Global Configuration mode, configure a B-RAS license:

host1(config)#license b-ras k3n91s6gvtj

B-RAS licenses are available in various sizes to enable subscriber access for up to one of the following maximum number of simultaneous active IP, LAC, and bridged Ethernet interfaces:

•

4000

•

8000

•

16,000

•

32,000

•

48,000

license b-ras

NOTE: To use a B-RAS license for 16,000 or more interfaces, each of your SRP modules must have 1 gigabyte (GB) of memory.

Page 46

JunosE 11.3.x Broadband Access Configuration Guide

• Use to specify the B-RAS license.

• The license is a unique string of up to 15 alphanumeric characters.

NOTE: Acquire the license from Juniper NetworksCustomerServiceor your Juniper Networks sales representative.

• You can purchase licenses that allow up to 2,000, 4,000, 8,000, 16,000, 32,000, or

48,000 simultaneous active IP, LAC, and bridged Ethernet interfaces.

• Example

host1(config)#license b-ras jwmR4k8D

• Use the no version to disable the license.

• See license b-ras

Mapping a User Domain Name to a Virtual Router

You can configure RADIUS authentication, accounting, and local address pools for a specific virtual router and then map a user domain to that virtual router.

The router keeps track of the mapping between domain names and virtual-routers. Use the aaa domain-map command to map a user domain to a virtual router.

NOTE: This domain name is not the NT domain sometimes found on the

Dialup Networking dialog box.

When the router is configured to require authentication of a PPP user, the router checks for the appropriate user domain-name-to-virtual-router mapping. If it finds a match, the router sends a RADIUS authentication request to the RADIUS server configured for the specific virtual router.

Mapping User Requests Without a Valid Domain Name

You can create a mapping between a domain name called default and a specific virtual router so that the router can map user names that contain a domain name that does not have an explicit map.

If a user request is submitted with a domain name for which the router cannot find a match, the router looks for a mapping between the domain name default and a virtual router. If a match is found, theuser’s request isprocessed according to the RADIUS server configuredfor the named virtual router.If noentry is foundthat maps default to a specific virtual router, theroutersends therequest to theRADIUS server configured on the default virtual router.

Page 47

Mapping User Requests Without a Configured Domain Name

You can map a domain name called none to a specific virtual router so that the router can map user names that do not contain a domain name.

If a user request is submitted without a domain name, the router looks for a mapping betweenthe domainname noneand avirtual router.If amatchis found, the user’s request is processed according to the RADIUS server configured for the named virtual router. If the router does not find the domain name none, it checks for the domain name default. If no matching entries are found, the router sends the request to the server configured on the default virtual router.

Using DNIS

The E Series router supports dialed number identification service (DNIS). With DNIS, if users have a called number associated with them, the router searches the domain map for the called number. If it finds a match, the router uses the matching domain mapentry information to authenticate the user. If the router does not find a match, it searches the domain map using normal processing.

Chapter 1: Configuring Remote Access

For example, as specified in the following sequence, a user calling 9785551212 would be terminated in vrouter_88, while a user calling 8005554433 is terminated in vrouter_100.

host1(config)#aaa domain-map 9785551212 vrouter_88 host1(config)#aaa domain-map 8005554433 vrouter_100

Redirected Authentication

Redirected authentication provides a way to offload AAA activity on the router, by providing the domain-mapping-like feature remotely on the RADIUS server. Redirected authentication works as follows:

1. The router sends an authentication request (in the form of a RADIUS access-request

message) to the RADIUS server that is configured in the default VR.

2. The RADIUSserver determines theuser’s AAA VR context and returnsthis information

in a RADIUS response message to the router.

3. The router then behaves in similar fashion as if it had received the VR context from

the local domain map.

NOTE: For DNIS to work, the router must be acting as the LNS. Also, the

phone number configured in the aaa domain-map command must be an exact match to the value passed by L2TP in the called number AVP (AVP

21).

To maintain local control, the only VR allowed to redirect authentication is the default VR. Also, to prevent loopbacks, the redirection may occur only once to a non-default VR.

To maintain flexibility, the redirection response may include idle timeor sessionattributes that are considered as default unless the redirectedauthenticationserver overrides them.

Page 48

JunosE 11.3.x Broadband Access Configuration Guide

For example, if the RADIUS server returns the VR context along with an idle timeout attribute with the value set to 20 minutes, the router uses this idle timeout value unless the RADIUS server configured in the VR context returns a different value.

Since the router supports the RADIUS User-Name attribute [1] in the RADIUS response message, the default VR RADIUS server may override the user’s name (this can be a stripped name or an entirely different name). Overriding is useful for the case when the user enters alogin name containing a domain name that is significant only to the RADIUS server in the default VR.

IP Hinting

You can allocate an address before authentication of PPP sessions. This address is included in the Access-Request sent to the authentication server as an IP address hint.

aaa domain-map

• Use to map a user domain name to a virtual router or a loopback interface.

• When youspecify only thedomain name,the commandsets the mode to Domain Map

Configuration.

auth-router-name

• Example

host1(config)#aaa domain-map juniper.net vrouter_1 host1(config)#aaa domain-map none vrouter_all_purpose host1(config)#aaa domain-map default vrouter_all_purpose host1(config)#aaa domain-map 8005558934 vrouter_78 host1(config)#aaa domain-map westford.com host1(config-domain-map)#

• Use the no version to delete the map entry.

• See aaa domain-map

• Use to assign an access virtual router to a domain map.

• AAA domain map support for IPv4 enables you to provide additional virtual router

assignment capabilities for IPv4 subscribers. If you assign a value other than default to a layer 2 virtual router, then theaccess, IPv4, and IPv6virtual routers areall assigned the same value, which cannot be changed. If you use RADIUS redirect to assign virtual routers, you can assign access, IPv4, and IPv6 to the redirection target.

• Example

host1(config)#aaa domain-map xyz.com host1(config-domain-map)#auth-router-name accessvr

• Use the no version to restore the default router.

• See auth-router-name

ip-hint

Page 49

ip-router-name

Chapter 1: Configuring Remote Access

• Use to preallocate an IP address for the remote B-RAS user before authenticating the

remote user.

• The address is passed as a hint in the authentication request.

• Example

host1(config-domain-map)#ip-hint enable

• Use the no version to disable the feature.

• See ip-hint

• Use to assign an IPv4 virtual router to a domain map.

• AAA domain map support for IPv4 enables you to provide additional virtual router

ipv6-local-interface

ipv6-router-name

• Example

host1(config)#aaa domain-map xyz.com host1(config-domain-map)#ip-router-name ipv4vr

• Use the no version to restore the default router.

• See ip-router-name

• Use to map a user domain name to an IP version 6 (IPv6) loopback interface.

• The local interface identifies the interface information to use on the local (E Series)

side of the subscriber’s interface.

• Example

host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-local-interface 2001:db8::8000

• Use the no version to delete the entry.

• See ipv6-local-interface

• Use to map a user domain name to an IPv6 virtual router in Domain Map Configuration

mode.

• Example

host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-router-name vroutv6

• Use the no version to delete the entry.

• See ipv6-router-name

Page 50

JunosE 11.3.x Broadband Access Configuration Guide

local-interface

• Use to map a user domain name to a loopback interface.

• The local interface identifies the interface information to use on the local (E Series)

side of the subscriber’s interface.

• Example

host1(config)#aaa domain-map westford.com host1(config-domain-map)#local-interface 10.10.5.30

• Use the no version to delete the entry.

• See local-interface

router-name

• Use to map a user domain name to a virtual router.

• Example

host1(config)#aaa domain-map westford.com host1(config-domain-map)#router-name vrout

• Use the no version to delete the entry.

• See router-name

Setting Up Domain Name and Realm Name Usage

To provide flexibility in how the router handles different types ofusernames, thesoftware lets you specify the part of a username to use as the domain name, how the domain name is designated, and how the router parses names. It also allows you to set whether or notthe router strips the domain name from theusername before it sendsthe username to the RADIUS server.

By default, the router parses usernames as follows:

realmName/personalName@domainName

The string to the left of the forward slash (/) is the realm name, and the string to the right of the at-symbol (@) is the domain name. For example, in the username juniper/jill@abc.com, juniper is the realm name and abc.com is the domain name.

The router allows you to:

•

Use the realm name as the domain name.

•

Use delimiters other than / to designate the realm name.

•

Use delimiters other than @ to designate the domain name.

•

Use either the domain or the realm as the domain name when the username contains both a realm and domain name.

•

Change the direction in which the router searches for the domain name or the realm name.

Page 51

To provide these features, the router allows you to specify delimiters for the domain name andrealm name. You canuse upto eightone-characterdelimiters each for domain and realm names. The router also lets you specify how it parses usernames to determine which part of a username to use as the domain name.

Using the Realm Name as the Domain Name

Typically, a realm appears before the user field and is separated with the / character; for example, usEast/jill@abc.com. To use the realm name usEast rather than abc.com as the domain name, set the realm name delimiter to /. For example:

host1(config)#aaa delimiter realmName /

This command causes therouter to use the string to the leftof the / as the domain name. If the realm name delimiter is null (the default), the router will not search for the realm name.

Using Delimiters Other Than @

You can set up the router to recognize delimiters other than @ to designate the domain name. Suppose there are two users: bob@abc.com and pete!xyz.com, and you want to use both of their domain names. In this case you would set the domain name delimiter to @ and !. For example:

Chapter 1: Configuring Remote Access

host1(config)#aaa delimiter domainName @!

Using Either the Domain or the Realm as the Domain Name

If the username contains both a realm name and a domain name delimiter, you can use either thedomain nameor therealmname as thedomain name. Aspreviouslymentioned, the router treats usernames with multiple delimiters as though the realm name is to the left of the realm delimiter and the domain name is to the right of the domain delimiter.

If you set the parse order to:

•

domain-first—The router searches for a domain name first. For example, for username usEast/lori@abc.com, the domain name is abc.com.

•

realm-first—The router searches for a realm name first and uses the realm name as the user’s domain name. For username usEast/lori@abc.com, the domain is usEast.

For example, if you set the delimiter for the realm name to / and set the delimiter for the domain name to @, the router parses the realm first by default. The username usEast/lori@abc.com results in a domain name of usEast. To cause the parsing to return abc.com as the domain, enter the aaa parse-order domain-first command.

Specifying the Domain Name or Realm Name Parse Direction

You can specify the direction—either left to right or right to left—in which the router performs the parsing operation when identifying the realm name or domain name. This feature is particularly useful if the username contains nested realm or domain names. For example,for a username of userjohn@abc.com@xyz.com, youcan identify thedomain as either abc.com@xyz.com or as xyz.com, depending on the parse direction that you specify.

Page 52

JunosE 11.3.x Broadband Access Configuration Guide

You use either the left-to-right or right-to-left keywords with one of the following keywords to specify the type of search and parsing that the router performs:

•

domainName—The router searches for thenext domain delimitervaluein thedirection specified. When it reaches a delimiter, the router uses anything to the right of the delimiter as the domain name. Domain parsing is from right to left by default.

•

realmName—The router searches for the next realm delimiter value in the direction specified. When it reaches a delimiter, the router usesanything to the leftof thedelimiter as the realm name. Realm parsing is from left to right by default.

•

Example

host1(config)#aaa parse-direction domainName left-to-right

Stripping the Domain Name

The router provides feature that strips the domain name from the username before it sends the name to the RADIUS server in an Access-Request message. You can enable or disable this feature using the strip-domain command.

aaa delimiter

aaa parse-direction

By default, the domainname isthe text afterthe last @ character. However, if youchanged the domainname parsing usingthe aaadelimiter,aaa parse-order, or aaa parse direction commands, therouter strips the domain name anddelimiter that result fromthe parsing.

Use to configure delimiters for the domain and realm names. Specify one of the

•

following keywords:

• domainName—Configures domain name delimiters. The default domain name

delimiter is @.

• realmName—Configures realm name delimiters. The default realm name delimiter

is NULL (no character). In this case, realm parsing is disabled (having no delimiter disables realm parsing).

• You can specify up to eight delimiters each for domain name and realm name.

• Example

host1(config)#aaa delimiter domainName @*/

• Use the no version to return to the default.

• See aaa delimiter

Use to specify the direction the router uses to parse the username for the domain or

•

realm name.

• domainName—Specifies that the domain name is parsed. The router performs

domain parsing from right to left by default.

• realmName—Specifies that the realm name is parsed. The router performs realm

parsing from left to right by default.

Page 53

aaa parse-order

Chapter 1: Configuring Remote Access

• left-to-right—Router searches from theleft-most character. When therouter reaches

a realm delimiter, it uses anything to the left of the delimiter as the domain. When the router reaches a domain delimiter, it uses anything to the right of the delimiter as the domain.

• right-to-left—Router searches from the right-most character. When the router

reaches a realm delimiter, it uses anything to the left of the delimiter as the domain. When the router reaches a domain delimiter, it uses anything to the right of the delimiter as the domain.

• Example

host1(config)#aaa parse-direction domainName left-to-right

• Use the no version to return to the default: right-to-left parsing for domain names and

left-to-right parsing for realm names.

• See aaa parse-direction

strip-domain

Use to specifywhich partof ausername therouter uses asthe domain name. If a user’s

•

name contains both a realm name and a domain name, you can configure the router to use either name as the domain name.

• domain-first—Router searches for a domain name first. When the router reaches a

domain delimiter, it uses anything to the right of the delimiter as the domain name. For example, if the username is usEast/lori@abc.com, the domain name is abc.com. If the router does not find a domain name, it then searches for a realm name if the realm delimiter is specified.

• realm-first—Routersearchesfora realm namefirst.When the router reaches a realm

delimiter, it uses anything to the left of the delimiter as the domain. For example, if the usernameis usEast/lori@abc.com, thedomain nameis usEast. Ifno realm name is found, the router searches for a domain name.

• Example

host1(config)#aaa parse-order domain-first

• Use the no version to return to the default, realm first.

• See aaa parse-order

• Use to strip the domain name from the username before sending an access-request

message to the RADIUS server.

• By default, the domain name is the text after the last @ character. However, if you

change the domain name parsing by using the aaa delimiter, aaa parse-order, or parse-direction command, the routerstrips thedomain nameand delimiterthat result

from the parsing.

• To stop stripping the username, use the disable keyword.

• Example

Page 54

JunosE 11.3.x Broadband Access Configuration Guide

host1(config)#aaa domain-map xyz.com host1(config-domain-map)#strip-domain enable

• Use the no version to return to the default, disabled.

• See strip-domain

Domain Name and Realm Name Examples

This section provides examples of possible domain or realm name results that you might obtain, depending on the commands and options you specify. This example uses the following username:

username: usEast/userjohn@abc.com@xyz.com

The router is configured with the following commands:

host1(config)#aaa delimiter domainName @! host1(config)#aaa delimiter realmName /

Table 3 on page 16 shows the username and domain name that result from the parsing action of the various commands.

Table 3: Username and Domain Name Examples

right-to-left

left-to-right

right-to-left

left-to-right

Specifying a Single Name for Users from a Domain

Assigning asingleusername anda single passwordfor all usersassociated with a domain provides better compatibility with some RADIUS servers. You can use this feature for domains that require the router to tunnel, but not terminate, PPP sessions.

Resulting Domain NameResulting UsernameCommand

usEastuserjohn@abc.com@xyz.comaaa parse-order realm-first

xyz.comuserjohn@abc.comaaa parse-order domain-first

xyz.comuserjohn@abc.comaaa parse-direction domainName

abc.com@xyz.comuserjohnaaa parse-direction domainName

usEastuserjohn@abc.com@xyz.comaaa parse-direction realmName

When users request a PPP session, they specify usernames and passwords. During the negotiations for the PPP session, the router authenticates legitimate users.

Page 55

Chapter 1: Configuring Remote Access

NOTE: This feature works only for users authenticated by Password

Authentication Protocol (PAP) and not by Challenge Handshake Authentication Protocol (CHAP).

If you configure this feature,the routersubstitutes the specified username and password for all authenticated usernames and passwords associated with that domain.

There are two options for this feature. The router can:

•

Substitute the domain name for each username and one new password for each existing password.

For example, if the domain name is xyz.com and youspecify thepassword xyz_domain, the router associates the username xyz.com and the password xyz_domain with all users from xyz.com.

•

Substitute one new username for each username and one new password for each existing password.

aaa domain-map

override-user

For example, if the domain name is xyz.com and you specify the username xyz_group and the password xyz_domain, the router associates these identifiers with all users from xyz.com.

To use a single username and a single password for all users from a domain:

1. Access Domain Map Configuration mode using the aaa domain-map command.

2. Specify the new username and password using the override-user command.

• Use to map a domain name to a virtual router or to access Domain Map Configuration

mode.

• Example

host1(config)#aaa domain-map xyz.com host1(config-domain-map)#

• Use the no version to delete the map entry.

• See aaa domain-map

• Use to specify a single username and single password for all users from a domain in

place of the values received from the remote client.

• Use only for domains that require the router to tunnel and not terminate PPP sessions.

• If youspecify apassword only, the router substitutes thedomain namefor the username

and associates the new password with the user. If you specify a password only and you have configured the domain name none with the aaa domain-map command, the router rejects any users without domain names.

Page 56

JunosE 11.3.x Broadband Access Configuration Guide

• If you specify a name and password, the router associates both the new name and

password with the user.

• Example

host1(config-domain-map)#override-user name boston password abc

• Use the no version to revert to the original username.

• See override-user

Configuring RADIUS Authentication and Accounting Servers

The number of RADIUS servers you can configure depends on available memory.

The order in which youconfigure servers determines the order in which the router contacts those servers on behalf of clients.

Initially, aRADIUS client sends a requestto a RADIUS authentication or accountingserver. The RADIUS server uses the configured IP address, the UDP port number, and the secret key to make the connection. The RADIUS client waits for a response for a configurable timeout period and then retransmits the request. The RADIUS client retransmits the request for a user-configurable retry limit.

Server Access

•

If there is no response from the primary RADIUS server, the RADIUS client submits the request to the secondary RADIUS server using the timeout period and retry limit configured for the secondary RADIUS server.

•

If the connection attempt fails for the secondary RADIUS server, the router submits the request to the tertiary server and so on until it either is granted access on behalf of the client or there are no more configured servers.

•

If another authentication server is not configured, the routerattemptsthe nextmethod in the method list; for accounting server requests, the information is dropped.

For example, suppose that you have configured the following authentication servers: Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an authentication request to Auth1. If Auth1 is unavailable, the router submits the request to Auth2, then Auth3, and so on until an available server is found. If Auth5, the last configured authenticationserver,is notavailable, the router attemptsthe next methodin themethods list. If the only method configured is RADIUS, then the router notifies the client that the request has been denied.

The router offers two options by which servers are accessed:

•

Direct—The first authentication or accounting server that you configure is treated as the primary authentication or accounting server, the next server configured is the secondary, and so on.

•

Round-robin—The first configured server is treated as a primary for the first request, the second server configured as primary for the second request, and so on. When the

Page 57

router reaches the end of the list of servers, it starts again at the top of the list until it comes full cycle through the list.

Use the radius algorithm command to specify the server access method.

When you configure the first RADIUS accounting server, a RADIUS Acct-On message is sent. When you delete the last accounting server, a RADIUS Acct-Off message is sent.

Server Request Processing Limit

You can configure RADIUS authentication servers andaccounting servers to use different UDP ports on the router. This enables the same IP address to be used for both an authentication server and an accounting server. However, you cannot use the same IP address for multiple authentication servers or for multiple accounting servers.rs.

NOTE: For information about the number of concurrent RADIUS requests

that the router supports for authentication and accountingservers, see JunosE Release Notes, Appendix A, System Maximums.

Chapter 1: Configuring Remote Access

The E Seriesrouterlistens to arangeof UDP source(orlocal)ports for RADIUS responses. Each UDP source port supports a maximum of 255 RADIUS requests. When the 255 per-port limit is reached, the router opens the next source port. When the max-sessions command limit is reached, the router submits the request to the next configured server.

Table 4 on page 19 lists the range of UDP ports the router uses for each type of RADIUS request.

Table 4: Local UDP Port Ranges by RADIUS Request Type

Authentication and Accounting Methods

When you configure AAA authentication and accounting services for your B-RAS environment, one important task isto specify the authentication andaccountingmethod used. The JunosE Software gives you the flexibility to configure authentication or accounting methods based on the type of subscriber. This feature allows you to enable RADIUS authentication for some subscribers, while disabling authentication completely for othersubscribers. Similarly, you can enableRADIUS accounting for some subscribers, but noaccounting for others.For example, you mightuse RADIUS authentication for ATM

ERX310, ERX710, ERX1410, and E120 Broadband Services RoutersRADIUS Request Type

ERX1440 and E320 Broadband Services Routers

50000–5012450000–50124RADIUS authentication

50125–5049950125–50249RADIUS accounting

50500–5062450250–50374RADIUS preauthentication

50625–5074950375–50500RADIUS route-download

Page 58

JunosE 11.3.x Broadband Access Configuration Guide

1483 subscribers, while granting IP subscriber management interfaces access without authentication (using the none keyword).

You can specify the authentication or accounting method you want to use, or you can specify multiple methods in the order in which you want them used. For example, if you specify theradiuskeywordfollowed by thenone keyword when configuringauthentication, AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available, AAA uses no authentication. The JunosE Software currently supports radius and none as accounting methods and radius, none, and local as authentication methods. See “Configuring Local Authentication Servers” on page 39 for information about local authentication.

You can configure authentication and accounting methods based on the following types of subscribers:

•

ATM 1483

•

Tunnels (for example, L2TP tunnels)

•

PPP

•

RADIUS relay server

•

IP subscriber management interfaces

NOTE: IP subscriber management interfaces are static or dynamic

interfacesthatare created or managed by the JunosE Software’s subscriber management feature.

Supporting Exchange of Extensible Authentication Protocol Messages

Extensible Authentication Protocol (EAP) is a protocol that supports multiple methods for authenticating a peer before allowing network layer protocols to transmit over the link. JunosE Software supports the exchange of EAP messages between JunosE applications, such as PPP, and an external RADIUS authentication server.

The JunosE Software’s AAA service accepts and passes EAP messages between the JunosE application and the router’s internal RADIUS authentication server. The internal RADIUS authentication server, which is a RADIUSclient, provides EAP pass-through—the RADIUS client accepts the EAP messages from AAA, and sends the messages to the external RADIUS server for authentication. The RADIUS client then passes the response from the external RADIUS authentication server back to the AAA service, which then sends a response to the JunosE application. The AAA service and the internal RADIUS authenticationservice do not process EAPinformation—bothsimply act as pass-through devices for the EAP message.

The router’s local authentication server and TACACS+ authentication servers do not support theexchangeof EAP messages. These typeof servers denyaccessif theyreceive an authentication request from AAA that includes an EAP message. EAP messages do not affect the none authentication configuration, which always grants access.

Page 59

Chapter 1: Configuring Remote Access

The local RADIUS authentication server uses the following RADIUS attributes when exchanging EAP messages with the external RADIUS authentication server:

•

Framed-MTU (attribute 12)—Used if AAA passes an MTU value to the internal RADIUS client

•

State (attribute 24)—Used in Challenge-Response messages from the external server and returned to the external server on the subsequent Access-Request

•

Session-Timeout (attribute 27)—Used in Challenge-Response messages from the external server

•

EAP-Message (attribute 79)—Used to fragment EAP strings into 253-byte fragments (the RADIUS limit)

•

Message-Authenticator (attribute 80)—Used to authenticate messages that include an EAP-Message attribute

For additionalinformation on configuring PPP to use EAP authentication, seeJunosE Link Layer Configuration Guide .

Immediate Accounting Updates

You can use the aaa accounting immediate-update command to configure immediate accountingupdateson aper-VR basis. If you enable this feature, theE Series router sends an Acct-Update message to the accounting server immediately on receipt of a response (ACK or timeout) to the Acct-Start message.

This feature is disabled by default. Use theenable keyword to enableimmediate updates and the disable keyword to halt them.

The accounting update contains 0 (zero) values for the input/output octets/packets and 0 (zero) for uptime. If you have enabled duplicate or broadcast accounting, the accounting update goes to both the primary virtual router context and the duplicate or broadcast virtual router context.

Duplicate and Broadcast Accounting

Normally, the JunosE Software sends subscriber-related AAA accounting information to the virtual router that authenticates the subscriber. If an operational virtual router is configured that is different from the authenticationrouter, it also receives the accounting information. You can optionally configure duplicate or broadcast AAA accounting, which sends the accounting information to additional virtual routers simultaneously. The accounting information continues to be sent to the authenticating virtual router, but not to the operational virtual router.

Both the duplicate and broadcast accounting features are supported on a per-virtual router context, and enable you to specify particular accounting servers that you want to receive the accounting information.

For example, you might use broadcast accounting to send accounting information to a group of your private accounting servers. Or you might use duplicate accounting to send the accounting information to a customer’s accounting server.

Page 60

JunosE 11.3.x Broadband Access Configuration Guide

•

Duplicate accounting—Sends the accounting information to a particular virtual router

•

Broadcastaccounting—Sendsthe accountinginformation to a groupof virtual routers. An accountingvirtual router groupcan contain uptofour virtual routers and theE Series router supports a maximum of 100 virtual router groups. The accounting information continues to be sent to the duplicate accounting virtual router, if one is configured.

Configuring AAA Duplicate Accounting

To configure and enable duplicate accounting on a virtual router, you use the aaa accounting duplication command with the name of the accounting server that will

receive the information. For example, to enable duplicate accounting for the default virtual router:

host1(config)#aaa accounting duplication xyzCompanyServer

Configuring AAA Broadcast Accounting

To configure and enable broadcast accounting on a virtual router:

1. Create the virtual router group and enter VR Group Configuration mode:

host1(config)#aaa accounting vr-group groupXyzCompany host1(vr-group-config)#

2. Add up to four virtual routers to the group. The accounting information will be sent to

all virtual routers in the group.

host1(vr-group-config)#aaa virtual-router 1 vrXyz1 host1(vr-group-config)#aaa virtual-router 2 vrXyz2 host1(vr-group-config)#aaa virtual-router 3 vrXyz3 host1(vr-group-config)#exit host1(config)#

3. Enable broadcast accounting. Enter the correct virtual router context, and specify the

virtual router group whose virtual routers will receive the accounting information.

host1(config)#virtual-router opVr100 host1:opVr100(config)#aaa accounting broadcast groupXyzCompany

Overriding AAA Accounting NAS Information

AAA accounting packets normally include two RADIUS attributes—NAS-IP-Address [4] and NAS-Identifier [32]—of the virtual router that generates the accounting information. You can override the default configuration and specify that accounting packets from particular broadcastvirtual routers insteadinclude theNAS-IP-Address andNAS-Identifier attributes of the authenticating virtual router.

To overridethe normalAAA accounting NAS information, access the correct virtualrouter context, and use the radius override nas-info command. For example:

host1(config)#virtual-router vrXyz1 host1:vrXyz1(config)#radius override nas-info host1:vrXyz1(config)#virtual-router vrXyz2 host1:vrXyz2(config)#radius override nas-info host1:vrXyz3(config)#exit host1(config)#

Page 61

UDP Checksums

Each virtual router on which you configure B-RAS is enabled to perform UDP checksums by default. You can disable and reenable UDP checksums.

Collecting Accounting Statistics

You can use the aaa accounting statistics command to specify how the AAA server collects statistics on the sessions it manages. Use the volume-time keyword to specify that AAA notifies applications to collect a full set of statistics from each of their connections. Use the time keyword to specify that only the uptime status is collected for each connection. Collecting only uptimeinformationreducesthe amountof data sent to AAA and is a more efficient use of system resources for customers that do not need a full set of statistics. The router collects a full set of statistics by default.

Configuring RADIUS AAA Servers

The number of RADIUS servers you cansure configure depends on available memory. The router has an embedded RADIUS client for authentication and accounting.

Chapter 1: Configuring Remote Access

NOTE: You can configure B-RAS with RADIUS accounting, but without

RADIUS authentication. In this configuration, the username and password on the remote end are not authenticated and can be set to any value.

You must assign an IP address to a RADIUS authentication or accounting server to configure it.

If you do not configure a primary authentication or accounting server, all authentication and accounting requests will fail. You can configure other servers as backup in the event that the primary server cannot be reached. Configure each server individually.

To configure an authentication or accounting RADIUS server:

1. Specify the authentication or accounting server address.

host1(config)#radius authentication server 10.10.10.1 host1(config-radius)# or host1(config)#radius accounting server 10.10.10.6 host1(config-radius)#

2. (Optional) Specifya UDPport for RADIUS authentication or accounting server requests.

host1(config-radius)#udp-port 1645

3. Specify an authentication or accounting server secret.

host1(config-radius)#key gismo

4. (Optional) Specify the number of retries the router makes to an authentication or

accounting server before it attempts to contact another server.

host1(config-radius)#retransmit 2

5. (Optional) Specify the number of seconds between retries.

Page 62

JunosE 11.3.x Broadband Access Configuration Guide

host1(config-radius)#timeout 5

6. (Optional) Specify the maximum number of outstanding requests.

host1(config-radius)#max-sessions 100

7. (Optional) Specify the amount of time to remove a server from the availablelist when

a timeout occurs.

host1(config-radius)#deadtime 10

8. (Optional) In Global Configuration mode, specify whether the E Series router should

move on tothe next RADIUS server whenthe router receivesan Access-Reject message for the user it is authenticating.

host1(config)#radius rollover-on-reject enable

9. (Optional) Enable duplicate address checking.

host1(config)aaa duplicate-address-check enable

10. (Optional) Specifythat duplicate accountingrecordsbe sent to the accounting server

for a virtual router.

host1(config)#aaa accounting duplication routerBoston

11. (Optional) Enter the correct virtual router context, and specify the virtual router group

to which broadcast accounting records are sent.

host1(config)#virtual-router vrSouth25 host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38 host1:vrSouth25(config)#exit

12. (Optional) Specify that immediate accounting updates be sent to the accounting

server when a response is received to an Acct-Start message.

host1(config)#aaa accounting immediate-update

13. (Optional) Specify whether the router collects all statistics or only the uptime status.

host1(config)#aaa accounting time

14. (Optional) Specify that tunnel accounting be enabled or disabled.

host1(config)#radius tunnel-accounting enable

15. (Optional) Specify the default authentication and accounting methods for the

subscribers.

host1(config)#aaa authentication ppp default radius none

16. (Optional) Disable UDP checksums on virtual routers you configure for B-RAS.

host1:(config)#virtual router boston host1:boston(config)#radius udp-checksum disable

aaa accounting broadcast

Page 63

aaa accounting default

Chapter 1: Configuring Remote Access

• Use to enable AAA broadcast accounting on a virtual router. Specifies that accounting

records be sent to the accounting servers on the virtual routers in the named virtual router group.

• A virtual router group can be used in any virtual router context, not just the context in

which it is created.

• Example

host1(config)#virtual-router vrSouth25 host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38 host1:vrSouth25(config)#exit

• Use the no version to disable the AAA broadcast accounting.

• See aaa accounting broadcast

• Use to specify the accounting method used for a particular type of subscriber.

• Specify one of the following types of subscribers:

• atm1483; this keyword is not supported

• tunnel

• ppp

• radius-relay

• ipsec

• ip (IP subscriber management interfaces)

NOTE: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JunosE Software’s subscriber management feature.

Although the atm1483 keyword is available in the CLI for this command, that subscriber type is not supported. The router does not support accounting for ATM 1483 subscribers.

• Specify one of the following types of accounting methods:

• radius—RADIUS accounting for the specified subscribers.

• none—No accounting is done for the specified subscribers.

• radius none—Multiple types of accounting; used in the order specified. For example,

radius none specifies that RADIUS accounting is initially used; however, if RADIUS servers are not available, no accounting is done.

• Example

host1(config)#aaa accounting ppp default radius

Page 64

JunosE 11.3.x Broadband Access Configuration Guide

• Use the no version to set the accounting protocol to the default, radius.

• See aaa accounting default

aaa accounting duplication

• Use to enable AAA duplicate accounting on a virtual router. Specifies that duplicate

accounting records be sent to the accounting server on another virtual router.

• Example

host1(config)#aaa accounting duplication routerBoston

• Use the no version to disable the feature.

• See aaa accounting duplication

aaa accounting immediate-update

• Use to send an accounting update to the accounting server immediately on receipt of

a response for an Acct-Start message.

• Use the enable keyword to enable immediate updates. Use the disable keyword to

disable immediate updates. Immediate updates are disabled by default.

aaa accounting interval

• Example

host1(config)#aaa accounting immediate-update enable

• Use the no version to restore the default condition, disabling immediate updates.

• See aaa accounting immediate-update

• Use to specify the default interval between updates for user and service interim

accounting.

NOTE: This command is deprecated and might be removed completely in

a future release. Use the aaa user accounting interval command to specify the default interval for user accounting. Use the aaa service accounting interval command to specify the default interim accounting interval used for services created by the Service Manager application. See “Configuring Service Manager” on page 633.

• Select an interval in the range 10–1440 minutes. The default is 0, which means that

the feature is disabled.

• Example

host1(config)#aaa accounting interval 60

• Use the no version to turn off interim accounting for both users and services.

• See aaa accounting interval

aaa accounting statistics

Page 65

aaa accounting vr-group

Chapter 1: Configuring Remote Access

• Use to specify how the AAA server collects statistics on the sessions it manages.

• Use the volume-time keyword to collect all statistics for the sessions.

• Use the time keyword to collect only the uptime status of the sessions. Collecting only

uptime information is more efficient because less data is sent to AAA.

• Example

host1(config)#aaa accounting statistics time

• Use the no version to restore the default, in which all statistics are collected.

• See aaa accounting statistics

• Use to create an accounting virtual router group and enter VR Group Configuration

mode. Virtual routing groups are used for AAA broadcast accounting.

• A virtual router group can have up to four virtual routers. The accounting servers of the

virtual routers in the group receive broadcast accounting records that are forwarded to the group.

aaa authentication default

• The E Series router supports a maximum of 100 virtual router groups.

• When creating a virtual router group, you must add at least one virtual router to the

group; otherwise, the group is not created.

• A virtual router group can be used in any virtual router context, not just the context in

which it is created.

• Example

host1(config)#aaa accounting vr-group westVrGroup38 host1(config-vr-group)#

• Use the no version to delete the accounting virtual router group.

• See aaa accounting vr-group

• Use to specify the authentication method used for a particular type of subscriber.

• Specify one of the following types of subscribers:

• atm1483

• tunnel

• ppp

• radius-relay

• ipsec

• ip (IP subscriber management interfaces)

Page 66

JunosE 11.3.x Broadband Access Configuration Guide

NOTE: IP subscriber management interfaces are static or dynamic

interfaces that are created or managed by the JunosE Software’s subscriber management feature.

• Specify one of the following types of accounting methods:

• radius—RADIUS authentication for the specified subscribers.

• none—Grants the specified subscribers access without authentication.

• radius none—Multiple types of authentication; used in the order specified. For

example,radiusnone specifies thatRADIUS authentication is initiallyused; however, if RADIUS servers are notavailable, usersare granted access without authentication.

• Example

host1(config)#aaa authentication ip default radius

• Use the no version to set the authentication protocol to the default, radius.

• See aaa authentication default

aaa duplicate-address-check

• Use to enable or disable routing table address lookup or duplicate address check.

• The router checksthe routingtable for returnedaddresses for PPP users. If theaddress

• You can disable this routing table address lookup or duplicate address check with the

• Example

• There is no no version.

• See aaa duplicate-address-check

aaa user accounting interval

• Use to specify the default interval between user accounting updates. The router uses

• This command and the aaa service accounting interval command replace the aaa

By default, this command is enabled.

existed, then the user was denied access.

aaa duplicate-address-check command.

host1(config)#aaa duplicate-address-check enable

the default interval when no value is specified in the RADIUS Acct-Interim-Interval attribute (RADIUS attribute 85).

accounting interval command, which is deprecated and might be removed in a future release. Forinformationabout setting thedefaultinterim accounting interval for services, see “Configuring Service Manager” on page 633.

• The default interval is applied on a virtual router basis—this setting is used for all users

who attach to the corresponding virtual router.

Page 67

aaa virtual-router

Chapter 1: Configuring Remote Access

• Specify the user accounting interval in the range 10–1440 minutes. The default setting

is 0, which disables the feature.

• Example

host1(config)#aaa user accounting interval 20

• Use the no version to reset the accounting interval to 0, which turns off interim user

accounting when no value is specified in the RADIUS Acct-Interim-Interval attribute.

• See aaa user accounting interval

• Use to add virtual routers to a virtual router group. During AAA broadcast accounting,

accounting records are sent to the accounting servers on the virtual routers in the named virtual router group.

• You can add up to four virtual routers to a virtual router group. Use the indexInteger

parameter to specify the order (1–4) in which the virtual routers receive the accounting information. The indexInteger is used with the no version to delete a specific virtual router from a group (see Example 2).

deadtime

• A virtual router name consists of 1–32 alphanumeric characters.

• The virtual router names in the group must be unique. An error message appears if you

enter a duplicate name.

• Example 1

host1(config)#aaa accounting vr-group westVrGroup38 host1(config-vr-group)#aaa virtual-router 1 vrWestA host1(config-vr-group)#aaa virtual-router 2 vrWestB host1(config-vr-group)#aaa virtual-router 4 vrSouth1

• Example 2

host1(config-vr-group)#no aaa virtual-router 2

• Use theno version ofthe command with theindexIntegerparameterto deletea specific

virtual router from a group. If all virtual routers in a group are deleted, the group is also deleted; a group must contain at least one virtual router.

• See aaa virtual-router

• Use to configure the amount of time (0–1440 minutes) that a server is marked as

unavailable if a request times out for the configured retry count.

• If a server fails to answer a request, the router marks it unavailable. The router does

not send requests to the server until the router receives a response from the server or until the configured time is reached, whichever occurs first.

• If all servers failto answer a request, then instead of marking all servers as unavailable,

all servers are marked as available.

• To turn off the deadtime mechanism, specify a value of 0.

• Example

Page 68

JunosE 11.3.x Broadband Access Configuration Guide

host1(config)#radius authentication server 10.10.0.1 host1(config-radius)#deadtime 10

• Use the no version to set the time to the default value, 0

• See deadtime

key

• Use to configure secrets onthe primary, secondary, and tertiary authentication servers.

• The authentication or accounting server secret is a text string used by RADIUS to

encrypt the client and server authenticator field during exchanges between the router and a RADIUS authentication server. The router encrypts PPP PAP passwords using this text string.

• The default is no server secret.

• Example

host1(config)#radius authentication server 10.10.8.1 host1(config-radius)#key gismo

logout subscribers

max-sessions

• Use the no version to remove the secret.

NOTE: Authentication fails if no key is specified for the authentication server.

• See key

• Use to issue an administrative reset to the user’s connection to disconnect the user.

• From Privileged Exec mode, you can log out all subscribers, or log out subscribers by

username, domain, virtual-router, port, or icr-partition.

• This command applies to PPP users, as well as to non-PPP DHCP users.

• Example

host1#logout subscribers username bmurphy

• There is no no version.

• See logout subscribers

• Use to configure the number of outstanding requests supported by an authentication

or accounting server.

• If the request limit is reached, the router sends the request to the next server.

Page 69

Chapter 1: Configuring Remote Access

NOTE: For information about the number of concurrent RADIUS requests

that the router supports for authentication and accounting servers, see JunosE Release Notes, Appendix A, System Maximums.

• The same IP address can be used for both an authentication and accounting server

(but not for multiple servers of the same type). The router uses different UDP ports for authentication servers and accounting servers.

• For each multiple of 255 requests (the RADIUS protocol limit), the router opens a new

UDP source (or local) port on the server to send and receive RADIUS requests and responses.

• Example

host1(config)#radius authentication server 10.10.0.1 host1(config-radius)#max-sessions 100

• Use the no version to restore the default value, 255.

no radius client

radius accounting server

• See max-sessions.

• Use toremoveall RADIUSserversfor thevirtual router context and todeletethe ESeries

RADIUS client for the virtual router context.

• Example

host1:boston(config)#no radius client

• There is no affirmative version of this command; there is only a no version.

• See no radius client

• Use to specify the IP address of authentication and accounting servers.

• Example

host1(config)#radius authentication server 10.10.10.1 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.2 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.3 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.20 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.30

• Use the no version to delete the instance of the RADIUS server.

• See radius accounting server

radius algorithm

Page 70

JunosE 11.3.x Broadband Access Configuration Guide

• Use to specify the algorithm—either direct or round-robin—that the E Series RADIUS

client uses to contact the RADIUS server.

• The algorithm that you choose impacts the display status of a RADIUS server. For

information on the effect of the algorithm configuration on the display of the show radius servers command, see “Monitoring RADIUS Server Information” on page 142.

• Example

host1(config)#radius algorithm round-robin

• Use the no version to set the algorithm to the default, direct.

• See radius algorithm

radius override nas-info

• Use to configure the RADIUS client to include the NAS-IP-Address [4] and

NAS-Identifier [32] RADIUSattributesof theauthenticating virtual routerin accounting packetswhen theclient performs AAAbroadcast accounting. Normally,the accounting packets include the NAS-IP-Address and NAS-Identifier of the virtual router that generated the accounting information.

radius rollover-on-reject

• This override operation is a per-virtual router specification; use this command in the

correct virtual router context.

• This commandis ignored if theauthenticating virtual router doesnot have a configured

RADIUS server.

• Example

host1(config)#virtual-router vrXyz1 host1:vrXyz1(config)#radius override nas-info host1:vrXyz1(config)#exit

• Use the no version to restore inclusion of the NAS-IP-Address [4] and NAS-Identifier

[32] RADIUS attributes of the virtual routerthat requested the accounting information.

• See radius override nas-info

• Use to specify whether the router rolls over to the next RADIUS server when the router

receives an Access-Reject message for the user it is authenticating.

• Example

host1(config)#radius rollover-on-reject enable

• Use the no version to set the default of disable.

• See radius rollover-on-reject

radius tunnel-accounting

• Use to specify that tunnel accounting be enabled or disabled.

• This command turns on accounting messages: Tunnel-Start, Tunnel-Stop,

Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject, as described in RFC 2867.

Page 71

radius udp-checksum

Chapter 1: Configuring Remote Access

• Your router supports tunnel accounting for the L2TP LAC and LNS.

• Example

host1(config)#radius tunnel-accounting enable

• Use the no version to set the default, disabled.

• See radius tunnel-accounting

• Use to disable UDP checksums on virtual routers you configure for B-RAS.

• Issue this command in the context of the appropriate virtual router.

• Example

host1(config)#virtual router boston host1:boston(config)#radius udp-checksum disable

• Use the no version to reenable UDP checksums on virtual routers you configure for

B-RAS.

radius update-source-addr

retransmit

• See radius udp-checksum

• Use to specify an alternate source IP address for the router to use rather than the

default router ID.

• Example

host1(config)#radius update-source-addr 192.168.40.23

• Use the no version to delete the parameter so that the router uses the router ID.

• See radius update-source-addr

• Use toset the maximum number of times (0–100) thatthe router retransmitsa RADIUS

packet to an authentication or accounting server.

• If there is no response from the primary RADIUS authentication or accounting server

in the specified number of retries, the client sends the request to the secondary server. If there is no response from the secondary server, the router sends the request to the tertiary server, and so on.

• Example

host1(config)#radius authentication server 10.10.8.1 host1(config-radius)#retransmit 2

• Use the no version to set the value to the default, 3 retransmits.

• See retransmit

test aaa

Page 72

JunosE 11.3.x Broadband Access Configuration Guide

• Use to verify RADIUS authentication and accountingand IPaddress assignment setup.

• You must specify either a PPP or Multilink PPP (MLPPP) user. PPP indicates a regular

PPP user. MLPPP simulatesMultilink PPP sothat if multiple test commandsare issued, all test users are bound by the same address.

• The command uses a username and password and attempts to authenticate a user,

get an address assignment, and issue a start accounting request.

• Optionally, you can specify the virtual router context in which to authenticate the user.

• The command pauses for several seconds, then terminates the session by issuing a

stop accounting request and an address release.

• Example

host1#test aaa ppp jsmith mypassword virtual-router charlie2

NOTE: Specifying the password to associate with the username is optional. Specifying a virtual router is optional.

timeout

• There is no no version.

• See test aaa

• Use to set the number of seconds (1–1000) before the router retransmits a RADIUS

packet to an authentication or accounting server.

• If the interval is reached and there is no response from the primary RADIUS

authentication or accounting server, the router attempts another retry. When the retry limit is reached, the client sends the request to the secondary server. When the retry limit for thesecondary server is reached, the routerattemptsto reach thetertiary server, and so on.

NOTE: After the fourth retransmission, the configured timeout value is

ignored,and the router uses a backoff algorithm that increases the timeout between each succeeding transmission. The router used the backoff algorithmonly for subscriber AAA accountingmessagesexceptfor Acct-On messages.

The backoff algorithm is:

• Example

host1(config)#radius authentication server 10.10.0.1 host1(config-radius)#timeout 5

Page 73

udp-port

Chapter 1: Configuring Remote Access

• Use the no version to restore the default value, 3 seconds.

NOTE: When a RADIUS server times out or when it has no availableRADIUS identifier values, the router removes the RADIUS server from the list of available servers for a period of time. The router restores all configured servers to the list if it is about to remove the last server.Restoringthe servers avoids having an empty server list.

• See timeout

• Use to configure the UDP port on the router where the RADIUS authentication,

accounting, preauthentication, and route-download servers reside. The router uses this port to communicate with the RADIUS authentication servers.

• Specify a port number in the range 0–65536. For authentication, preauthentication,

or route-download servers, the default UDP port is 1812. For accounting servers, the default is 1813.

• For an accounting server, specify a port number in the range 0–65536. The default is

1813.

• Example

host1(config)#radius authentication server 10.10.9.1 host1(config-radius)#udp-port 1645

• Use the no version to set the port number to the default value.

• See udp-port

SNMP Traps and System Log Messages

The router can sendSimpleNetwork Management Protocol(SNMP) traps to alert network managers when:

•

A RADIUS server fails to respond to a request.

•

A RADIUS server that previously failed to respond to a request (and was consequently removed from the list of active servers) returns to active service.

Returning to active service means that the E Series RADIUS client receives a valid response to an outstanding RADIUS request after the server is marked unavailable.

•

All RADIUS servers within a VR context fail to respond to a request.

The router also generates system log messages when RADIUS servers fail to respond or when they return to active service; no configuration is required for system log messages.

SNMP Traps

The router generates SNMP traps and system log messages as follows:

Page 74

JunosE 11.3.x Broadband Access Configuration Guide

•

If the first RADIUS server fails to respond to the RADIUS request, the E Series RADIUS client issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server timed out. The ESeries RADIUS client will not issue anothersystem log message or SNMP trap regarding this RADIUS server until the deadtime expires, if configured, or for 3 minutes if deadtime is not configured.

•

The E Series RADIUS client then sends the RADIUS request to the second configured RADIUS server. If the second RADIUS server fails to respond to the RADIUS request, the E Series RADIUS client again issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server timed out.

•

This process continues until either the E Series RADIUS client receives avalid response from a RADIUS server or the list of configured RADIUS servers is exhausted. If the list of RADIUS servers is exhausted,the ESeries RADIUS clientissues asystemlog message and, if configured, an SNMP trap indicating that all RADIUS servers have timed out.

If the E Series RADIUS client receives a RADIUS response from a “dead” RADIUS server during the deadtime period, the RADIUS server is restored to active status.

If the router receives a valid RADIUS response to an outstanding RADIUS request, the E Series client issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server is now available.

System Log Messages

You do not need to configure system log messages. The routerautomatically sends them when individual servers do not respond to RADIUS requests and when all servers on a VR fail to respond to requests. The following are the formats of the warning level system log messages:

Configuring SNMP Traps

This section describes how to configure the router to send traps to SNMP when RADIUS servers fail to respond to messages, and how to configure SNMP to receive the traps.

To set up the router to send traps:

1. (Optional) Enable SNMP traps when a particular RADIUS authentication server fails

2. (Optional) Enable SNMP traps when all of the configured RADIUS authentication

RADIUS [ authentication | accounting ] server serverAddress unavailable in VR

virtualRouterName [; trying nextServerAddress]

RADIUS no [ authentication | accounting ] servers responding in VR virtualRouterName RADIUS [ authentication | accounting ] server serverAddress available in VR

virtualRouterName

to respond to Access-Request messages.

host1(config)#radius trap auth-server-not-responding enable

servers on a VR fail to respond to Access-Request messages.

host1(config)#radius trap no-auth-server-responding enable

3. (Optional) Enable SNMPtraps when a RADIUS authentication server returns to active

service.

Page 75

Chapter 1: Configuring Remote Access

host1(config)#radius trap auth-server-responding enable

4. (Optional) Enable SNMP traps when a RADIUS accounting server fails to respond to

a RADIUS accounting request.

host1(config)#radius trap acct-server-not-responding enable

5. (Optional) Enable SNMP traps when all of the RADIUS accounting servers on a VR

fail to respond to a RADIUS accounting request.

host1(config)#radius trap no-acct-server-responding enable

6. (Optional) Enable SNMP traps when a RADIUS accounting server returns to active

service.

host1(config)#radius trap acct-server-responding enable

To set up SNMP to receive RADIUS traps:

1. Set up the appropriate SNMP community strings.

host1(config)#snmp-server community admin view everything rw host1(config)#snmp-server community private view user rw host1(config)#snmp-server community public view everything ro

2. Specify the interface whose IP address is the source address for SNMP traps.

host1(config)#snmp-server trap-source fastEthernet 0/0

3. Configure the host that should receive the SNMP traps.

host1(config)#snmp-server host 10.10.132.93 version 2c 3 udp-port 162 radius

4. Enable the SNMP router agent to receive and forward RADIUS traps.

host1(config)#snmp-server enable traps radius

5. Enable the SNMP on the router.

host1(config)#snmp-server

radius trap acct-server-not-responding

• Use to enable or disable SNMP traps when a particular RADIUS accounting server fails

to respond to a RADIUS accounting request.

• The associated SNMP object is rsRadiusClientTrapOnAcctServerUnavailable.

• Example

host1(config)#radius trap acct-server-not-responding enable

NOTE: For more information about these SNMP commands, see JunosE System Basics Configuration Guide.

• Use the no version to return to the default setting, disable.

• See radius trap acct-server-not-responding

radius trap acct-server-responding

Page 76

JunosE 11.3.x Broadband Access Configuration Guide

• Use to enable or disable SNMP traps when a RADIUS accounting server returns to

service after being marked as unavailable.

• The associated SNMP object is rsRadiusClientTrapOnAcctServerAvailable.

• This command affects only the current VR context.

• Example

host1(config)#radius trap acct-server-responding enable

• Use the no version to restore the default, disable.

• See radius trap acct-server-responding

radius trap auth-server-not-responding

• Use to enable or disable SNMP traps when a RADIUS authentication server fails to

respond to a RADIUS Access-Request message.

• The associated SNMP object is rsRadiusClientTrapOnAuthServerUnavailable.

• Example

host1(config)#radius trap auth-server-not-responding enable

• Use the no version to return to the default setting, disabled.

• See radius trap auth-server-not-responding

radius trap auth-server-responding

• Use to enable RADIUS to send SNMP traps when a RADIUS authentication server

returns to service after being marked as unavailable.

• The associated SNMP object is rsRadiusClientTrapOnAuthServerAvailable.

• This command affects only the current VR context.

• Example

host1(config)#radius trap auth-server-responding enable

• Use the no version to restore the default setting, disabled.

• See radius trap auth-server-responding

radius trap no-acct-server-responding

• Use to enable or disable SNMP traps when all of the configured RADIUS accounting

servers per VR fail to respond to a RADIUS accounting request.

• The associated SNMP object is rsRadiusClientTrapOnNoAcctServerAvailable.

• Example

host1(config)#radius trap no-acct-server-responding enable

• Use the no version to return to the default setting, disabled.

• See radius trap no-acct-server-responding

radius trap no-auth-server-responding

Page 77

• Use toenableor disable SNMP traps when allof the configured RADIUS authentication

servers per VR fail to respond to a RADIUS Access-Request message.

• The associated SNMP object is rsRadiusClientTrapOnNoAuthServerAvailable.

• Example

host1(config)#radius trap no-auth-server-responding enable

• Use the no version to return to the default setting, disabled.

• See radius trap no-auth-server-responding

Configuring Local Authentication Servers

The AAA local authentication server enables the E Series router to provide local PAP and CHAP user authentication for subscribers. The router also provides limited authorization, using the IP address, IP address pool, and operational virtual router parameters. When a subscriberlogson to theE Series router that is usinglocalauthentication,the subscriber is authenticated against user entries in a local user database; the optional parameters are assigned to subscribers after the subscriber is authenticated.

Chapter 1: Configuring Remote Access

Creating the Local Authentication Environment

To create your local authentication environment:

1. Create local user databases—Create the default database or a named database.

2. Add entries to local user databases—Add user entries to the database. A database

can contain information for multiple users.

3. Assign a local user database to thevirtual router—Specifythe database thatthe virtual

router will use to authenticate subscribers.

4. Enable local authentication onthe virtualrouter—Specify thelocal method asan AAA

authentication method used by the virtual router.

Creating Local User Databases

When a subscriber connects to an E Series router that is using local authentication, the local authentication server uses the entries in the local user database selected by the virtual router to authenticate the subscriber.

A local authentication server can have multiple local user databases, and each database can have entries for multiple subscribers. The default local user database, if it exists, is used for local authentication by default. The E Series router supports a maximum of 100 user entries. A maximum of 100 databases can be configured.

To create a local user database, use the aaa local database command and the name of the database; use the name default to create the default local user database:

host1(config)#aaa local database westLocal40

Page 78

JunosE 11.3.x Broadband Access Configuration Guide

Adding User Entries to Local User Databases

The local authentication server uses the information in a local user database to authenticate a subscriber. A local user database can contain information for multiple users.

The E Series router provides two commands for adding entries to local user databases: the username command and the aaa local username command. You can specify the following parameters:

•

Username—Name associated with the subscriber.

•

Passwords and secrets—Single words that can beencryptedor unencrypted. Passwords use two-way encryption, and secrets use one-way encryption. Both passwords and secrets can be used with PAP authentication; however, only passwords can be used with CHAP authentication.

•

IP address—The IP addressto assign tothe subscriber (aaa local username command only).

•

IP address pool—The IP address pool used to assign the subscriber’s IP address (aaa local username command only).

•

Operational virtual router—The virtual router to which the subscriber is assigned. This parameter is applicable only if the subscriber is authenticated by the default virtual router (aaa local username command only).

Using the username Command

The username command is similar to the command used by some third-party vendors. The command can be used to add entries in the default local user database; it is not supported for named local user databases. The IP address, IP address pool, and operational virtual router parameters are not supported in the username command. However, after the user is added to the default local user database, you can use the aaa local username command with a database name default to enter Local User Configuration mode and add the additional parameters.

NOTE: If the default local user database does not exist, the username

command creates this database and adds the user entry to the database.

To add a subscriber and password or secret to the default local user database, complete the following step:

host1(config)#username rockyB password rockyPassword

Using the aaa local username Command

To enter Local User Configuration mode and add user entries to a local user database, use the following commands:

Page 79

Chapter 1: Configuring Remote Access

1. Specify thesubscriber’s username and the database you want touse. Use the database

name default to specify the default local user database. This command also puts the router into Local User Configuration mode.

host1(config)# aaa local username cksmith database westLocal40 host1(config-local-user)#

NOTE: You can use the aaa local username command to add or modify user entries to a default database that was created by the username command.

2. (Optional) Specify the type of encryption algorithm and the password or secret that

the subscriber must use to connect to the router. A subscriber can be assigned either a password or a secret, but not both. For example:

host1(config-local-user)#password 8 iTtakes2%

3. (Optional) Specify the IP address to assign to the subscriber.

host1(config-local-user)#ip-address 192.168.101.19

4. (Optional) Specify the IP address pool used to assign the subscriber’s IP address.

host1(config-local-user)#ip-address-pool svPool2

5. (Optional) Assign the subscriber to an operational virtual router. This parameter is

applicable only if the subscriber is authenticated in the default virtual router.

host1(config-local-user)#operational-virtual-router boston2

Assigning a Local User Database to a Virtual Router

Use the procedure in this section to assign a local user database to a virtual router. The virtual router uses the database for local authentication when the subscriber connects to the E Series router. Use the following commands in Global Configuration mode:

NOTE: If you do not specify a local user database, the virtual router selects

the default database by default. This applies to all virtual routers.

1. Specify the virtual router name.

host1(config)# virtual-router cleveland

2. Specify the database to use for authentication on this virtual router.

host1:cleveland(config)# aaa local select database westLocal40

Enabling Local Authentication on the Virtual Router

On the E Series router, RADIUS is the default AAA authentication method for PPP subscribers. Use the commands in this section to specify that the local authentication method is used.

To enable local authentication on the default router, use the following command:

Page 80

JunosE 11.3.x Broadband Access Configuration Guide

host1(config)# aaa authentication ppp default local

To enable local authentication on a specific virtual router, first select the virtual router:

host1(config)# virtual-router cleveland host1:cleveland(config)# aaa authentication ppp default local

Configuration Commands

Use the following commands to configure the local authentication server.

aaa authentication default

• Use to specify that the local authentication method is used to authenticate PPP

subscribers on the default virtual router or on the selected virtual router.

NOTE: You can specify multiple authentication methods; for example,aaa

authentication ppp default local radius. If, during local authentication, the matching user entry is not found in a populated database or if it is found and rejected, the authentication procedure terminates. However, if the specified local user database is empty or if it does not exist, the authentication process uses the next authentication method specified (RADIUS in this case).

aaa local database

aaa local select database

• Example

host1(config)#aaa authentication ppp default local radius

• Use the no version to restore the default authentication method of radius.

• See aaa authentication default

• Use to create a local user database.

• Use the database name default to specify the default local user database, or enter a

name for the specific local user database.

• Example

host1(config)#aaa local database westLocal40

• Use the no version to delete the specified database and all entries in the database.

• See aaa local database

• Use toassign thelocaluser databasethat thevirtual router uses forlocal authentication.

• Example

host1(config)#virtual-router cleveland host1:cleveland(config)#aaa local select database westLocal40

Page 81

aaa local username

Chapter 1: Configuring Remote Access

• Use the no version to restore the default setting, which uses the default local user

database for local authentication.

• See aaa local select database

• Use to configure a user entry in the specified local user database and to enter Local

User Configuration mode.

• The username must be unique within a particular database; however, the same

username can be used in different databases.

• Use the database name default to configure the username in the default local user

database.

NOTE: The router supports usernames up to 64 characters long; however,

PAP and CHAP support is limited to 31-character usernames.

ip address

ip address-pool

• Example

host1(config)#aaa local username cksmith database westLocal40

• Use the no version to delete the user entry from the specified local user database. Use

the database name default to delete the user entry from the default local user database.

• See aaa local username

• Use to specify the IP address parameter for a user entry in the local user database. The

address is negotiated with the subscriber after the subscriber is authenticated.

• Example

host1(config-local-user)#ip-address 192.168.42.6

• Use the no version to delete the IP address parameter from the user entry in the local

user database.

• See ip address

• Use tospecify theIP address poolparameterfor auser entryin thelocal user database.

The address pool is used to assign an IP address to the subscriber; the address is negotiated with the subscriber after the subscriber is authenticated.

• Example

host1(config-local-user)#ip-address-pool svPool2

• Use the no version to delete the IP address pool parameter from the user entry in the

local user database.

• See ip address-pool

Page 82

JunosE 11.3.x Broadband Access Configuration Guide

operational-virtual-router

• Use to specify the virtual router parameter for a user entry in the local user database.

The subscriber is assigned to the operational virtual router only if the default virtual router performs the authentication.

• If authentication is performed by a non-default virtual router, then the subscriber is

assigned to the same virtual router that performs authentication, regardless of this parameter setting.

• Example

host1(config-local-user)#operational-virtual-router boston2

• Use the no version to delete the operational virtual router parameter from the user

entry in the local user database.

• See operational-virtual-router

password

• Use to adda password to a user entry in the local user database. The password is used

to authenticate a subscriber, and is encrypted by means of a two-way encryption algorithm.

secret

NOTE: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore,use the passwordcommand if you want to enable encryption for subscribers that use CHAP authentication.

• The new password replaces any current password or secret.

• Specify one of the following encryption algorithms, followed by the password:

• 0—An unencrypted password; this is the default

• 8—A two-way encrypted password

• Example

host1(config-local-user)#password 0 myPassword

• Use the no version to delete the password or secret from the user entry in the local

user database.

• See password

Page 83

Chapter 1: Configuring Remote Access

• Use to add a secret to a user entry in the local user database. The secret is used to

authenticate a subscriber, and is encrypted by means of the Message Digest 5 (MD5) encryption algorithm.

NOTE: CHAP authentication requires that passwords and secrets be stored

in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore,use the passwordcommand if you want to enable encryption for subscribers that use CHAP authentication.

• The new secret replaces any current password or secret.

• Specify one of the following encryption algorithms, followed by the secret:

• 0—An unencrypted secret; this is the default

• 5—An MD5-encrypted secret

user-name

• Example

host1(config-local-user)#secret 5 Q3&t9REwk45jxSM#fj$z

• Use the no version to delete the secret or password from the user entry in the local

user database.

• See secret

• Use to configure a user entry and optional password or secret in the default local user

database. This command creates the database if it does not already exist.

• Optionally, specify a password or secret that is assigned to the user in the default local

user database, or specify that no password is required for the particular username.

• Specify one of the following encryption algorithms, followed by the password:

• 0—An unencrypted password; this is the default

• 8—A two-way encrypted password

• Specify one of the following encryption algorithms, followed by the secret:

• 0—An unencrypted secret; this is the default

• 5—An MD5-encrypted secret

• Use the nopassword keyword to remove the password or secret

NOTE: CHAP authentication requires that passwords and secrets be stored in clear text or use two-way encryption. Two-way encryption is not supported for the secret command. Therefore, use the password command if you want to enable encryption for subscribers that use CHAP authentication.

Page 84

JunosE 11.3.x Broadband Access Configuration Guide

• Example

host1(config-local-user)#username cksmith secret 5 Q3&t9REwk45jxSM#fj$z

• Use the no version to delete the username entry from the default local user database.

• See user-name

Local Authentication Example

This example creates a sample local authentication environment. The steps in this example:

1. Create a named local user database (westfordLocal40).

2. Configure the database westfordLocal40.

•

Add users btjones and maryrdavis and their attributes to the database.

3. Create the default local database using the optional username command.

•

Add optional subscriber parameters for user cksmith to the default database.

4. Assign the default local user database to virtual router cleveland; assign database

westfordLocal40 to the default virtual router and to virtual router chicago.

5. Enable AAA authentication methods local and none on all virtual routers.

6. Use the show commands to display information for the local authentication

environment (various show command displays are listed after the example).

Example 1 This example shows the commands you use to create the AAA local authentication

environment.

host1(config)#aaa local database westfordLocal40 host1(config)#aaa local username btjones database westfordLocal40 host1(config-local-user)#secret 38schillCy host1(config-local-user)#ip-address-pool addressPoolA host1(config-local-user)#operational-virtual-router boston2 host1(config-local-user)#exit host1(config)#aaa local username maryrdavis database westfordLocal40 host1(config-local-user)#secret 0 dav1sSecret99 host1(config-local-user)#ip-address 192.168.20.106 host1(config-local-user)#operational-virtual-router boston1 host1(config-local-user)#exit host1(config)#username cksmith password 0 yourPassword1 host1(config)#aaa local username cksmith database default host1(config-local-user)#ip-address-pool addressPoolA host1(config-local-user)#operational-virtual-router boston2 host1(config-local-user)#exit host1(config)#virtual-router cleveland host1(config)#aaa local select database default host1(config)#virtual-router default host1(config)#aaa local select database westfordLocal40 host1(config)#virtual-router chicago host1(config)#aaa local select database westfordLocal40 host1(config)#virtual-router default

Page 85

Chapter 1: Configuring Remote Access

host1(config)#aaa authentication ppp default local none

Example 2 This example verifies that local authentication is configured on the router.

host1#show aaa authentication ppp default local none

Example 3 This example uses the show configurationcategoryaaa local-authenticationcommand

with the databases keyword to show the local user databases that are configured on the router.

host1# show configuration category aaa local-authentication databases ! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! ! Commands displayed are limited to those available at privilege level 15 ! ! NOTE: This script represents only a subset of the full system configuration. ! The category displayed is: aaa local-authentication databases ! hostname host1 aaa new-model aaa local database default aaa local database westfordLocal40

Example 4 This example uses the local-authentication users keywords to show the configured

users andtheir parameters.The password forusername cksmith is displayedunencrypted because the default setting of disabled or no for the service password-encryption command is used for the example. Secrets are always displayed encrypted.

host1# show configuration category aaa local-authentication users ! Configuration script being generated on THU NOV 11 2004 13:40:41 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 10, 2004 21:15) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! ! Commands displayed are limited to those available at privilege level 15 ! ! NOTE: This script represents only a subset of the full system configuration. ! The category displayed is: aaa local-authentication users ! hostname host1 aaa new-model aaa local username cksmith database default password yourPassword1 operational-virtual-router boston2 ip-address-pool addressPoolA ! aaa local username btjones database westfordLocal40 secret 5 }9s7-4N<WK2)2=)^!6~# operational-virtual-router boston2 ip-address-pool addressPoolA ! aaa local username maryrdavis database westfordLocal40 secret 5 E@A:nDXJJ<irb\`mF#[j

Page 86

JunosE 11.3.x Broadband Access Configuration Guide

operational-virtual-router boston1 ip-address 192.168.20.106

Example 5 This example uses the users include-defaults keywords to show the configured users

and their parameters, including the default parameters no-ip-address and no ip-address-pool.

host1# show configuration category aaa local-authentication users include-defaults ! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! ! Commands displayed are limited to those available at privilege level 15 ! ! NOTE: This script represents only a subset of the full system configuration. ! The category displayed is: aaa local-authentication users ! hostname host1 aaa new-model aaa local username cksmith database default password yourPassword1 operational-virtual-router boston2 no ip-address ip-address-pool addressPoolA ! aaa local username btjones database westfordLocal40 secret 5 }9s7-4N<WK2)2=)^!6~# operational-virtual-router boston2 no ip-address ip-address-pool addressPoolA ! aaa local username maryrdavis database westfordLocal40 secret 5 E@A:nDXJJ<irb\`mF#[j operational-virtual-router boston1 ip-address 192.168.20.106 no ip-address-pool

Example 6 This example uses the virtual-router keyword with the default specification to show the

local user database that is used by the default virtual router.

host1# show configuration category aaa local-authentication virtual-router default ! Configuration script being generated on TUE NOV 09 2004 13:09:45 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! ! Commands displayed are limited to those available at privilege level 15 ! ! NOTE: This script represents only a subset of the full system configuration. ! The category displayed is: aaa local-authentication ! virtual-router default aaa local select database westfordLocal40

Example 7 This example uses the virtual-router keyword with a named virtual router. The

include-defaults keyword shows the default configuration, including the line showing

that there is no named local user database selected.

Page 87

Chapter 1: Configuring Remote Access

host1# show configuration category aaa local-authentication virtual-router cleveland include-defaults ! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC ! Juniper Edge Routing Switch ERX-1400 ! Version: 6.1.0 (November 8, 2004 18:31) ! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved. ! ! Commands displayed are limited to those available at privilege level 15 ! ! NOTE: This script represents only a subset of the full system configuration. ! The category displayed is: aaa local-authentication ! virtual-router cleveland no aaa local select

Configuring Tunnel Subscriber Authentication

When a AAA domain map includes any tunnel configuration, users in this domain are considered to be tunnel subscribers. By default, any such subscriber is granted access without being authenticated by the authentication server. Access is granted even when the user provides an invalid username and password. The tunnel configuration for the subscriber comes from the AAA domain map.

For example, if the authentication protocol for a AAA domainmap isRADIUS, AAA grants access to subscribers from this domain immediately without sending access requests to the configured RADIUS server. Because of this behavior, these subscribers cannot get any additional control attributes from the authentication server. This reduces your ability to manage the tunnel subscribers.

In this default situation, if you want the domain subscribers to be managed by the authentication server for any control attribute, then that domain map cannot have any tunnel configuration.Typically, this meansyou mustconfigure the subscriber individually.

You can usethe tunnel-subscriber authentication command to get around this limitation. When you enable authentication with this command, access requests for the tunnel subscribers in the domain are sent to the configured authentication server. When the access replies from authentication server are processed, various user attributes from the server can be applied to the subscribers.

When the authentication server returns tunnel attributes, these returned values take precedence over the corresponding local tunnel configuration values in the AAA domain map. If the server does not return any tunnel attributes, then the tunnel subscriber’s tunnel settings are configured according to the domain map’s tunnel settings.

If the authentication server returns a redirect VSA and the corresponding AAA domain map has local tunnel configurations, the VSA is ignored. Access is denied to the user when the authentication server rejects the access request.

The tunnel-subscriber authentication command has no effect on subscribersin adomain with no tunnel configuration. When a AAA domain map has no tunnel configuration, subscribers in the domain are authenticated by the authentication server. If the server grants access, then the subscribers get their tunnel settings only from the authentication server.

Page 88

JunosE 11.3.x Broadband Access Configuration Guide

By default, tunnel subscribers in the domain are granted access with no external authentication.Use theenable keywordto enable authentication. Use the disable keyword to restore disable user authentication.

To configure authentication of tunnel subscribers within a AAA domain by an external authentication server.

•

Example

host1(config-domain-map)#tunnel-subscriber authentication enable

Documentation

tunnel-subscriber authentication•

• Mapping a User Domain Name to a Virtual Router on page 8

Configuring Name Server Addresses

You can assign IP or IPv6 addresses for DNS and IP addresses for WINS name servers. During setup negotiations between the router and remote PC clients using PPP (Internet Protocol Control Protocol [IPCP] specifically), the remote client may request the DNS and WINS server IP addresses. If the IP addresses passed to the router by the remote PC client are different from the ones configured on your router, the router returns the values that you configured as the correct values to the remote PC client. This behavior is controlled by the ppp peer dns and ppp peer wins interface commands.

If a PPP client request contains address values of0.0.0.0 for the name servers, the router considers that the remote PC client is not configured and returns the configured values as the correct values to the remote PC client.

The DNS and WINS addresses are considered as part of the PPP user information. These addresses are provided to the PPP client as part of the IPCP negotiations between PPP peers. For details, see RFC 1877—PPP Internet Protocol Control Protocol Extensions for Name Server Addresses (December 1995).

Configuration Tasks

This section contains proceduresfor configuring theDNS andWINS primary and secondary name server addresses.

DNS Primary and Secondary NMS Configuration

To configure the DNS primary and secondary name server addresses:

1. Specify the IP address of the DNS primary name server.

host1(config)#aaa dns primary 10.10.10.5

or, for IPv6,

NOTE: All name server address parameters are defined in the context of a virtual router.

Page 89

aaa dns primary

Chapter 1: Configuring Remote Access

host1(config)#aaa ipv6-dns primary 2001:db8::8001

2. Specify the IP address of the DNS secondary name server.

host1(config)#aaa dns secondary 10.10.10.6

or, for IPv6,

host1(config)#aaa ipv6-dns secondary 2001:db8::8002

NOTE: The router uses name server addresses exclusively for PPP clients and not for domain name server resolution.

• Use to specify the IP address of the DNS primary name server.

• Example

host1(config)#aaa dns primary 10.10.10.5

• Use the no version to set the corresponding address to 0.0.0.0.

aaa dns secondary

aaa ipv6-dns primary

aaa ipv6-dns secondary

• See aaa dns

• Use to specify the IP address of the DNS secondary name server.

• Example

host1(config)#aaa dns secondary 10.10.10.6

• Use the no version to set the corresponding address to 0.0.0.0.

• See aaa dns

• Use to specify the IPv6 address of the DNS primary name server.

• Example

host1(config)#aaa ipv6-dns primary 2001:db8::8001

• Use the no version to set the corresponding address to 0 (or ::).

• See aaa ipv6-dns

• Use to specify the IPv6 address of the DNS secondary name server.

• Example

host1(config)#aaa ipv6-dns secondary 2001:db8::8002

• Use the no version to set the corresponding address to 0 (or ::).

• See aaa ipv6-dns

Page 90

JunosE 11.3.x Broadband Access Configuration Guide

WINS Primary and Secondary NMS Configuration

To configure the WINS primary and secondary name server addresses:

1. Specify the IP address of the WINS primary name server.

host1(config)#aaa wins primary 192.168.10.05

2. Specify the IP address of the WINS secondary name server.

host1(config)#aaa wins secondary 192.168.10.40

NOTE: The router uses name server addresses exclusively for PPP clients and not for domain name server resolution.

aaa wins primary

• Use to specify the IP address of the WINS primary name server.

• Example

host1(config)#aaa wins primary 192.168.10.05

• Use the no version to set the corresponding address to 0.0.0.0.

• See aaa wins

aaa wins secondary

• Use to specify the IP address of the WINS secondary name server.

• Example

host1(config)#aaa wins secondary 192.168.10.40

• Use the no version to set the corresponding address to 0.0.0.0.

• See aaa wins

Configuring Local Address Servers

The local address server allocates IP addresses from a pool of addresses stored locally on therouter. You can optionally configure shared local address pools toobtain addresses from a DHCP local address pool that is in the same virtual router. Addresses are provided automatically to client sessions requiring an IP address from a virtual router that is configured to use a local address pool.

A local address server is defined in the context of a virtual router. You create a local address server when you configure thefirst local pool. Local address serversexist aslong as the virtual router exists or until you remove them by deleting all configured pools.

Figure 1 on page 53 illustrates the local address pool hierarchy. Multiple local address server instances, one per virtual router. can exist. Each local address server can have one or more local address pools. Each pool can contain a number of IP addresses that are available for allocation and used by clients, such as PPP sessions.

Page 91

Figure 1: Local Address Pool Hierarchy

Local Address Pool Ranges

As shown in Figure 1 on page 53, each local address pool is named and contains ranges of sequentiallyordered IP addresses. These addresses are allocatedwhen the AAAserver makes a request for an IP address.

If a local address pool range is exhausted, the next range of addresses is used. If all pool rangesare exhausted,you can configure anew range to extend or supplementthe existing range of addresses, or you can create a new pool. The newly created pool range is then used for future address allocation. If addresses allocated from the first pool range are released, then subsequent requests for addresses are taken from the first pool range.

Chapter 1: Configuring Remote Access

Addresses are assigned sequentially from a range within a pool. If a range has no addresses available, the next range within that pool is used. If a pool has no addresses available, the next configured pool is used, unless a specific pool is indicated.

Local Address Pool Aliases

An alias is an alternate name for an existing local address pool. It comprises an alias name and a pool name.

When the AAA server requests an IP address from a specific local address pool, the local address server firstverifies whether analias exists for therequestedpool. If an aliasexists, the IP address is allocated from the pool specified by the alias. If no alias exists, the IP address is allocated from the pool originally specified in the request.

The use of aliases simplifies management of subscribers. For example, you can use an alias to migrate subscribers from one local address pool to another. Instead of having to modify countless subscriber records on the AAA server, you create an alias to make the configuration change.

Shared Local Address Pools

Typically, the local address server allocates IP addresses from a pool of addresses that is stored locally on the router. However, shared local address pools enablea local address server to hand out addresses that are allocated from DHCP local server address pools within the same virtual router. The addresses are configured and managed within DHCP. Therefore, thresholds are not configured on the shared pool, but are instead managed by the referenced DHCP local server pool.

Page 92

JunosE 11.3.x Broadband Access Configuration Guide

A shared local address pool references one DHCP addresspool. The sharedlocaladdress pool can then obtain addresses from the referenced DHCP address pool and from any DHCP address pools that are linked to the referenced DHCP address pool.

Figure 2 on page 54 illustrates a shared local address pool environment that includes four linked DHCP address pools. In the figure, both Shared_LAS_Pool_A and Shared_LAS_Pool_B reference DHCP_Pool_1, and can therefore obtain addresses from all four DHCP address pools. Shared_LAS_Pool_C references DHCP_Pool_3 and can get addresses from DHCP_Pool_3 and DHCP_Pool_4.

Figure 2: Shared Local Address Pools

When the local address server requests an address from a shared address pool, the address is returned from the referenced DHCP pool or a subsequent linked pool. If no address is available, DHCP notifies the local address server and the search is ended.

Keep the following guidelines in mind when using shared local address pools:

•

The DHCPattributesdo not apply to sharedlocal address pools;for example, thelease time for shared local address pools is infinite.

•

When you delete the referenced DHCP address pool, DHCP notifies the local address server and logs out all subscribers that are using addresses from the deleted pool.

•

When you delete a shared local address pool, the local address server logs out the subscribers that are using addresses from the deleted pool, then notifies DHCP and releases the addresses.

•

If the chain of linked DHCP address pools is broken, no action is taken and the existing subscribers retain their address. However, the DHCP local address pools that are no longer part of the chain are now unable to provide any new addresses.

Example This following commands create the shared address pools in Figure 2 on page 54:

host1(config)#ip local shared-pool Shared_LAS_Pool_A DHCP_Pool_1 host1(config)#ip local shared-pool Shared_LAS_Pool_B DHCP_Pool_1 host1(config)#ip local shared-pool Shared_LAS_Pool_C DHCP_Pool_3

SNMP Thresholds

An address pool has SNMP thresholds associated with it that enable the local address server to signal SNMP traps when certain conditions exist. These thresholds include high utilization threshold and abated utilization threshold. If a pool’s outstanding addresses exceed the high utilization threshold and the SNMP trap signaling is enabled, SNMP is

Page 93

notified. Likewise, when a pool’s utilization drops below the abated threshold utilization threshold, SNMP is notified.

Configuring a Local Address Server

You can create, modify, and delete address pools. You can display address pool information or status with the show ip local pool command. The following are examples of tasks you can configure:

•

Specify an addressing scheme.

host1(config)#ip address-pool local

•

Map an address pool name to a range of local addresses. You can also use this command to add additional ranges to a pool.

host1(config)#ip local pool addrpool_10 192.168.56.10 192.168.56.15

•

Map a primary local address pool name to a domain name.

host1(config)#aaa domain-map westford.com host1(config-domain-map)#address-pool-name poolA

Chapter 1: Configuring Remote Access

•

(Optional) Map a backup address pool to a domain name, which is used for address allocation if the primary local address pool is fully allocated.

host1(config)#aaa domain-map westford.com host1(config-domain-map)#backup-address-pool-name backup_poolB

•

(Optional) Map the domain name to the IPv6 local address pool, which is used for prefix delegation. If the authentication server returns the prefix pool name in the Framed-Ipv6-Pool attribute of the RADIUS-Accept-Request message, this value overrides the IPv6 local pool configured using the ipv6-prefix-pool-name command.

host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-prefix-pool-name local_addr_pool

•

Delete an address pool.

host1(config)#no ip local pool addrpool_10

NOTE: If a pool or range is deleted and addresses are outstanding, the AAA server logs out the clients using the addresses.

•

Create a shared local address pool.

host1(config)#ip local shared-pool Shared_LAS_Pool_A DHCP_Pool_1

•

Delete a shared local address pool.

host1(config)#no ip local shared-pool Shared_LAS_Pool_C

•

Set SNMP variables by specifying an existing pool name and values.

host1(config)#ip local pool addrpool_10 warning 90 80

address-pool-name

Page 94

JunosE 11.3.x Broadband Access Configuration Guide

• Use to specify the name of the primary local address pool from which the router

allocates addresses for the domain that you are configuring.

• If the authentication server does not return anaddress, the router allocates an address

from this pool. The authentication server may override this pool name using RADIUS attributes such as Framed-Pool.

• The primary pool name is a character string up to 16 characters long.

• Example

host1(config)#aaa domain-map westford.com host1(config-domain-map)#address-pool-name poolA

• Use the no version to remove the primary local address pool name.

• See address-pool-name

backup-address-pool-name

• Use to specify the name of the backup local address pool from which the router

allocates addresses for thedomain that youare configuring, ifthe primarylocal address pool is fully allocated.

ip address-pool

• The backup local address pool takes effect only if you configured a valid primary local

address pool.

• If the primary local address pool has been fully allocated, and if you did not configure

a backup local address pool, the request is denied. This behavior is the same as what existed in previous JunosE releases.

• If the authentication server returns the backup local address pool name in the

RADIUS-Access-Accept message, this value overrides the backup address pool configured using the backup-address-pool-name command.

• You can specify a local address pool to be the backup address pool for some users

and the primary pool for other users.

• You can also use the same local address pool as the backup address pool for

subscribers using different primary address pools.

• The backup pool name is a character string up to 16 characters long.

• Example

host1(config)#aaa domain-map westford.com host1(config-domain-map)#backup-address-pool-name backup_poolB

• Use the no version to remove the backup address pool name.

• See backup-address-pool-name.

• Use to specify the addressing scheme: dhcp, local, or none.

• The addressing schemenone returns a special indicator to AAAthat enables theremote

PPP client to assign its own address.

• Example

Page 95

ip local alias

Chapter 1: Configuring Remote Access

host1(config)#ip address-pool dhcp

• Use the no version to specify the default, local.

• See ip address-pool

• Use to create an alias for an existing local address pool. The IP address is allocated

from the poolspecified by the alias ratherthan from the pool specified inthe IP address request.

• An alias name may contain up to 16 characters.

• You can configure a maximum of 32 aliases per virtual router.

• A local address pool can have multiple aliases.

• You can set the name of the alias to match the name of a local address pool; however,

the two names used in the alias cannot be the same.

• You can modify an existing alias with a different local address pool name.

ip local pool

ip local pool snmpTrap

• When a local address pool is deleted, all aliases with the matching pool name are also

deleted.

• Example

host1(config)#ip local alias groupB pool-name addrpool_10

• Use the no version to remove the alias name.

• See ip local alias

• Use to map an address pool name to a range of local addresses.

• You can create a pool with no address ranges configured for it.

• A name may contain up to 16 characters.

• Example

host1(config)#ip local pool addrpool_10 192.168.56.10 192.168.56.15

• Use the no version to remove the local pool (all ranges), or the specified range.

• See ip local pool

• Use to enable SNMP pool utilization traps.

• Example

host 1(config)#ip local pool addr_test snmpTrap

• Use the no version to disable SNMP pool utilization traps.

• See ip local pool snmpTrap

ip local pool warning

Page 96

JunosE 11.3.x Broadband Access Configuration Guide

• Use to set SNMP utilization warning threshold values.

• Example

host1(config)#ip local pool addr_test warning 90 80

• Use the no version to reset the attributes to their default values; high threshold 85,

abated threshold 75.

• See ip local pool warning

ip local shared-pool

• Use to create a local shared address pool and to specify the DHCP address pool that

provides the addresses.

• You can reference a DHCP address pool that has not yet been configured.

• Example

host1(config)#ip local shared-pool sharedPool11 dhcpPool6

• Use the no version to delete a specific local shared address pool.

ipv6-prefix-pool-name

• See ip local shared-pool

• Use to specify the name of the IPv6 local address pool from which the delegating

router allocates prefixes to the requesting routers for the domain that you are configuring.

• When a user is authenticated using a RADIUS server, the RADIUS server might return

one or more of the following attributes in the Access-Accept message in response to the client authentication request:

• Ipv6-NdRa-Prefix (VSA 26-129)

• Framed-IPv6-Prefix (RADIUS IETF attribute 97)

• Delegated-IPv6-Prefix (RADIUS IETF attribute 123)

• Framed-IPv6-Pool (RADIUS IETF attribute 100)

• The prefix orpool namethat the authentication server returns in anyof these attributes

of the RADIUS-Access-Accept message takes priority over the local prefix pool name configured for the domain map.

• If the pool name or prefix is not present in the RADIUS-Access-Accept message, the

IPv6 local address pool name configured using the ipv6-prefix-pool-name command is used to delegate prefixes to requesting DHCPv6 clients.

• The IPv6 local pool name is a character string up to 16 characters long.

• Example

host1(config)#aaa domain-map sunnyvale.com host1(config-domain-map)#ipv6-prefix-pool-name local_addr_pool

Page 97

• Use the no version to remove the IPv6 local address pool name from the domain map.

• See ipv6-prefix-pool-name.

Configuring DHCP Features

DHCP provides a mechanism through which computers using Transmission Control Protocol/IP (TCP/IP) can obtain an IP address and protocol configuration parameters automatically from a DHCP server on the network.

The E Series router provides support for the following DHCP features:

•

DHCP proxy client

•

DHCP relay agent

•

DHCP relay proxy

•

DHCP local server

•

DHCP external server

Chapter 1: Configuring Remote Access

For more information about DHCP, see “DHCP Overview Information” on page 457.

Creating an IP Interface

You can configure IP interfaces that support the following configurations:

•

A single PPP client per ATM or Frame Relay subinterface

•

Multiple PPP clients per ATM subinterface

Single Clients per ATM Subinterface

Figure 3 on page 59 shows a conceptual view of the configuration of a single PPP client per ATM subinterface.

Figure 3: Single PPP Clients per ATM Subinterface

Configurean ATM interface byentering Configuration modeand performingthe following tasks. For more information about configuring ATM interfaces, see JunosE Link Layer Configuration Guide.

1. Configure a physical interface.

host1(config)#interface atm 0/1

Page 98

JunosE 11.3.x Broadband Access Configuration Guide

2. Configure the subinterface.

host1(config-if)#interface atm 0/1.20

3. Configure a permanent virtual circuit (PVC) by specifying the vcd (virtual circuit

descriptor), the vci (virtual channel identifier), the vpi (virtual path identifier), and the encapsulation type.

host1(config-if)#atm pvc 10 22 100 aal5snap

4. Configure PPP encapsulation.

host1(config-if)#encapsulation ppp

5. Configure PAP or CHAP authentication.

host1((config-if))#ppp authentication chap

6. Assign a profile to the PPP interface.

host1(config-subif)#profile foo

Multiple Clients per ATM Subinterface

Figure 4 on page 60 shows how PPPoE supports multiplexing of multiple PPP sessions per ATM subinterface.

Figure 4: Multiple PPP Clients per ATM Subinterface

Configurean ATM interface byentering Configuration modeand performingthe following tasks. For more information about configuring ATM interfaces, see JunosE Link Layer Configuration Guide.

1. Configure a physical interface.

host1(config)#interface atm 0/1

2. Configure the subinterface.

host1(config-if)#interface atm 0/1.20

3. Configure aPVCby specifying thevcd (virtual circuitdescriptor), the vci(virtual channel

identifier), the vpi (virtual path identifier), and the encapsulation type.

host1(config-if)#atm pvc 10 22 100 aal5snap

4. Configure PPPoE encapsulation.

Page 99

host1(config-if)#encapsulation pppoe

5. Configure the subinterface for one PPP client.

host1(config-if)#interface atm 0/1.20.1

6. Configure PPP encapsulation.

host1(config-if)#encapsulation ppp

7. Configure PAP or CHAP authentication.

host1((config-if))#ppp authentication chap

8. Apply the profile to the PPP interface.

host1(config-subif)#profile foo2

9. Configure the subinterface for a second PPP client.

host1(config-if)#interface atm 0/1.20.2

10. Configure PPP encapsulation.

host1(config-if)#encapsulation ppp

Chapter 1: Configuring Remote Access

11. Configure PAP or CHAP authentication.

host1((config-if))#ppp authentication chap

12. Apply the profile to the PPP interface.

host1(config-subif)#profile foo2

Configuring AAA Profiles

An AAA profile is a set of characteristics that act as a pattern that you can assign to domain names. Once you create an AAA profile, you can map it between a PPP client’s domain name and certain AAA services on given interfaces. Using AAA profiles, you can:

•

Allow or deny a domain name access to AAA authentication

•

Map the original domain name to the mapped domain name for domain name lookup

•

Use domain name aliases

•

Force tunneling whenever a domain map contains tunnel attributes

•

Manually set the NAS-Port-Type attribute (RADIUS attribute 61) for ATM and Ethernet interfaces

•

Set the Service-Description attribute (RADIUS attribute 26-53)

An AAA profile contains a set of commands to control access for the incoming PPP subscriber. If no AAA profile is used, AAA continues as normal. The user’s name and domain name are not changed as a result of an AAA profile mapping.

Page 100

JunosE 11.3.x Broadband Access Configuration Guide

NOTE: There are two domain names with special meaning. The domain name

none indicates that there is no domain name present in the subscriber’s name. For more information about none, see the section “Mapping User Requests Without a Valid Domain Name” on page 8. The domain name default indicates that no other match occurs. For more information about default, see the section “Mapping User Requests Without a Configured Domain Name” on page 9.

Allowing or Denying Domain Names

You can control a PPP subscriber’s access to certain domains on given interfaces. As the administrator, you can use the deny command to prevent PPP subscribers from using unauthorized domain names. Using the allow command, you can allow PPP subscribers to use authorized domain names.

Configuration Example

In this example, the administrator wants to restrict access of a PPP interface to the specific domain abc.com.

1. Create an AAA profile.

host1(config)#aaa profile restrictToABC

2. Specify the domain name you want to allow.

host1(config-aaa-profile)#allow abc.com

3. Specify the domain name you want to restrict.

host1(config-aaa-profile)#deny default

4. Associate the AAA profile to the designated PPP interface.

host1(config-if)#ppp aaa-profile restrictToABC

When configured as such, the following is a likely scenario:

•

PPP passes the AAA profile restrictToABC to AAA in the authentication request.

•

AAA performs the following:

•

Receives the authentication request from PPP with the subscriber’s name will@xyz.com.

•

Parses the domain name xyz.com and examines the specified AAA profile restrictToABC.

•

Determines that the AAA profile restrictToABC is valid.

•

Searches restrictToABC for a match on the PPP subscriber’s domain name and finds no match.

•

Searches restrictToABC for a match on the domain name default.

•

Finds a match and denies the user access.

Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12, JUNOSE 11.3 Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual