Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12, JUNOSE 11.3 Configuration Manual

JunosE™ Software for E Series™ Broadband Services Routers

Broadband Access Configuration Guide

Release

11.3.x

Published: 2010-10-12

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JunosE™ Software for E Series™ Broadband Services Routers Broadband Access Configuration Guide

Writing: Mark Barnard, Diane Florio, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Fran Singer, Poornima Goswami, Chander Aima, Hema Priya J, Krupa Chandrashekar, Subash Babu Asokan, Sairam Venugopalan, Namrata Mehta Editing: Benjamin Mann, Alana Calapai Illustration: Nathaniel Woodward Cover Design: Edmonds Design

Revision History October 2010—FRS JunosE 11.3.x

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THISAGREEMENT. IF YOU DO NOTOR CANNOT AGREE TO THE TERMSCONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks(Cayman)Limited(if the Customer’s principaloffice is locatedoutside the Americas)(such applicable entity beingreferred to herein as“Juniper”), and (ii)the person ororganizationthat originally purchased from Juniperor an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper oran authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicablefeesand the limitations andrestrictions set forthherein, Juniper grantsto Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitstoCustomer’suse ofthe Software.Such limitsmay restrict use toa maximum number of seats, registeredendpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in anyform, to anythird party; (d)removeany proprietary notices, labels,or marks on or in any copyof the Softwareor anyproduct in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in thesecondhandmarket;(f) use any‘locked’ orkey-restricted feature,function, service, application,operation,or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercialefforts to maintain the Software and associated documentation in confidence, which at a minimum includes restrictingaccess to the Software to Customer employees and contractors havinga need touse the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthataccompaniesthe Software (the “Warranty Statement”). Nothing inthis Agreement shallgive rise to anyobligation tosupport the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS ORPROCUREMENT OFSUBSTITUTE GOODSOR SERVICES,OR FORANYSPECIAL,INDIRECT, ORCONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIED SOFTWARE. IN NOEVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations ofconfidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embeddedin the Software and any supplier ofJuniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shallhave theright to enforce this Agreement in its own nameas if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Abbreviated Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . . 111

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Chapter 4 Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 237

Chapter 5 Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Chapter 6 RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Chapter 7 Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Chapter 8 Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Chapter 9 Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Chapter 10 Monitoring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Part 3 Managing L2TP

Chapter 11 L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Chapter 12 Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Chapter 13 Configuring an L2TP LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Chapter 14 Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Chapter 15 L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Chapter 16 Monitoring L2TP and L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Part 4 Managing DHCP

Chapter 17 DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Chapter 18 DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Chapter 19 Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Chapter 20 Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Chapter 21 Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 519

Chapter 22 Monitoring and Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

JunosE 11.3.x Broadband Access Configuration Guide

Chapter 24 Monitoring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Chapter 25 Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

Chapter 26 Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Chapter 28 Monitoring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Part 7 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

E Series and JunosE Documentation and Release Notes . . . . . . . . . . . . . . . . . . xxxv

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

E Series and JunosE Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . xxxv

Obtaining Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxviii

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Remote Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

B-RAS Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Configuring IP Addresses for Remote Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 4

AAA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Remote Access Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

B-RAS Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Remote Access References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Before You Configure B-RAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Remote Access Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configuring a B-RAS License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Mapping a User Domain Name to a Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Mapping User Requests Without a Valid Domain Name . . . . . . . . . . . . . . . . . 8

Mapping User Requests Without a Configured Domain Name . . . . . . . . . . . . . 9

Using DNIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Redirected Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

IP Hinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Setting Up Domain Name and Realm Name Usage . . . . . . . . . . . . . . . . . . . . . . . . 12

Using the Realm Name as the Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using Delimiters Other Than @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using Either the Domain or the Realm as the Domain Name . . . . . . . . . . . . . 13

Specifying the Domain Name or Realm Name Parse Direction . . . . . . . . . . . . 13

Stripping the Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Domain Name and Realm Name Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Specifying a Single Name for Users from a Domain . . . . . . . . . . . . . . . . . . . . . . . . 16

Configuring RADIUS Authentication and Accounting Servers . . . . . . . . . . . . . . . . 18

Server Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Server Request Processing Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Authentication and Accounting Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

JunosE 11.3.x Broadband Access Configuration Guide

Supporting Exchange of Extensible Authentication Protocol Messages . . . . 20

Immediate Accounting Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Duplicate and Broadcast Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring AAA Duplicate Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring AAA Broadcast Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Overriding AAA Accounting NAS Information . . . . . . . . . . . . . . . . . . . . . . 22

UDP Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Collecting Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring RADIUS AAA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

SNMP Traps and System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring Local Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Creating the Local Authentication Environment . . . . . . . . . . . . . . . . . . . . . . . 39

Creating Local User Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Adding User Entries to Local User Databases . . . . . . . . . . . . . . . . . . . . . . . . . 40

Using the username Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Using the aaa local username Command . . . . . . . . . . . . . . . . . . . . . . . . 40

Assigning a Local User Database to a Virtual Router . . . . . . . . . . . . . . . . . . . . 41

Enabling Local Authentication on the Virtual Router . . . . . . . . . . . . . . . . . . . . 41

Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Local Authentication Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring Tunnel Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configuring Name Server Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

DNS Primary and Secondary NMS Configuration . . . . . . . . . . . . . . . . . . 50

WINS Primary and Secondary NMS Configuration . . . . . . . . . . . . . . . . . . 52

Configuring Local Address Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Local Address Pool Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Local Address Pool Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

SNMP Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Configuring a Local Address Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Configuring DHCP Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Creating an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Single Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Multiple Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring AAA Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Allowing or Denying Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Using Domain Name Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Manually Setting NAS-Port-Type Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Service-Description Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Using RADIUS Route-Download Server to Distribute Routes . . . . . . . . . . . . . . . . 69

Format of Downloaded Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Framed-Route (RADIUS attribute 22) . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Cisco-AVPair (Cisco VSA 26-1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

How the Route-Download Server Downloads Routes . . . . . . . . . . . . . . . . . . 70

Table of Contents

Configuring the Route-Download Server to Download Routes . . . . . . . . . . . . 70

Using the AAA Logical Line Identifier to Track Subscribers . . . . . . . . . . . . . . . . . . 74

How the Router Obtains and Uses the LLID . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

RADIUS Attributes in Preauthentication Request . . . . . . . . . . . . . . . . . . . . . . 75

Considerations for Using the LLID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring the Router to Obtain the LLID for a Subscriber . . . . . . . . . . . . . . 76

Troubleshooting Subscriber Preauthentication . . . . . . . . . . . . . . . . . . . . . . . . 79

Using VSAs for Dynamic IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Traffic Shaping for PPP over ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Mapping Application Terminate Reasons to RADIUS Terminate Codes . . . . . . . . 82

Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Configuring Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Limiting Active Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Notifying RADIUS of AAA Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring Standard RADIUS IPv6Attributesfor IPv6 Neighbor Discovery Router

Advertisements and DHCPv6 Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . 88

Duplicate IPv6 Prefix Check Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring Duplicate IPv6 Prefix Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Propagation of LAG Subscriber Information to AAA and RADIUS . . . . . . . . . . . . . 90

Configuring the SRC Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Retrieval of DSL Line Rate Information from Access Nodes Overview . . . . . . . . 100

DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview . . . . . . . . 101

DHCPv6 Prefix Delegation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Order of Preference in Determining the Local Address Pool for Allocating

Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Order of Preference in Allocating Prefixes and Assigning DNS Addresses to

Requesting Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configuring the DHCPv6 Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Limitation on the Number of Prefixes Used by Clients . . . . . . . . . . . . . . . . . . 107

Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Chapter 2 Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . . 111

Setting Baselines for Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Setting a Baseline for AAA Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Setting a Baseline for AAA Route Downloads . . . . . . . . . . . . . . . . . . . . . . . . . 113

Setting a Baseline for COPS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Setting a Baseline for Local Address Pool Statistics . . . . . . . . . . . . . . . . . . . . 113

Setting a Baseline for RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Setting the Baseline for SRC Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

How to Monitor PPP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Monitoring AAA Accounting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Monitoring AAA Accounting Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Monitoring Accounting Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Monitoring Specific Virtual Router Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Monitoring the Default AAA Authentication Method List . . . . . . . . . . . . . . . . . . . 116

Monitoring Domain and Realm Name Delimiters . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Monitoring Mapping Between User Domains and Virtual Routers . . . . . . . . . . . . . 117

Monitoring Tunnel Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

JunosE 11.3.x Broadband Access Configuration Guide

Monitoring Routing Table Address Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Monitoring the AAA Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Monitoring IP Addresses of Primary and Secondary DNS and WINS Name

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Monitoring AAA Profile Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Monitoring Statistics about the RADIUS Route-Download Server . . . . . . . . . . . . 121

Monitoring Routes Downloaded by the RADIUS Route-Download Server . . . . . . 123

Monitoring Chassis-Wide Routes Downloaded by RADIUS Route-Download

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Monitoring Authentication, Authorization, and Accounting Statistics . . . . . . . . . 126

Monitoring the Number of Active Subscribers Per Port . . . . . . . . . . . . . . . . . . . . . 128

Monitoring the Maximum Number of Active Subscribers Per Virtual Router . . . . 128

Monitoring Session Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Monitoring Interim Accounting for Users on the Virtual Router . . . . . . . . . . . . . . 129

Monitoring Virtual Router Groups Configured for AAA Broadcast Accounting . . . 129

Monitoring Configuration Information for AAA Local Authentication . . . . . . . . . . 130

Monitoring AAA Server Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Monitoring the COPS Layer Over SRC Connection . . . . . . . . . . . . . . . . . . . . . . . . 133

Monitoring Statistics About the COPS Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Monitoring Local Address Pool Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Monitoring Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Monitoring Local Address Pool Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Monitoring Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Monitoring the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Monitoring the B-RAS License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Monitoring the RADIUS Server Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Monitoring RADIUS Override Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Monitoring the RADIUS Rollover Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Monitoring RADIUS Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Monitoring RADIUS Services Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Monitoring RADIUS SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Monitoring RADIUS Accounting for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . 148

Monitoring RADIUS UDP Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Monitoring RADIUS Server IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router

Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation . . . . . . . . 149

Monitoring Duplicate IPv6 Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Monitoring SRC Client Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Monitoring SRC Client Connection Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Monitoring the SRC Client Version Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Monitoring Subscriber Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Monitoring Application Terminate Reason Mappings . . . . . . . . . . . . . . . . . . . . . . 159

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By All Configured

Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name . . . . . . . 162

Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation . . . . . . . . . . . . 163

Table of Contents

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

RADIUS Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

RADIUS References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Subscriber AAA Access Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Supported RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Supported Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Subscriber AAA Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Supported RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Supported Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Tunnel Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

DSL Forum VSAs in AAA Access and Accounting Messages . . . . . . . . . . . . . . . . 186

CLI AAA Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

CLI Commands Used to Modify RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . 188

RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

[4] NAS-IP-Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

[5] NAS-Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

[8] Framed-IP-Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

[9] Framed-Ip-Netmask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

[13] Framed-Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

[22] Framed-Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

[25] Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

[30] Called-Station-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

[31] Calling-Station-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

[32] NAS-Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

[41] Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

[44] Acct-Session-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

[45] Acct-Authentic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

[49] Acct-Terminate-Cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

[50] Acct-Multi-Session-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

[51] Acct-Link-Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

[52] Acct-Input-Gigawords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

[53] Output-Gigawords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

[55] Event-Timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

[61] NAS-Port-Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

[64] Tunnel-Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

[65] Tunnel-Medium-Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

[66] Tunnel-Client-Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

[67] Tunnel-Server-Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

[68] Acct-Tunnel-Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

[77] Connect-Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

[82] Tunnel-Assignment-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

[83] Tunnel-Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

[87] NAS-Port-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

[90] Tunnel-Client-Auth-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

JunosE 11.3.x Broadband Access Configuration Guide

[91] Tunnel-Server-Auth-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

[96] Framed-Interface-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

[97] Framed-Ipv6-Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

[99] Framed-Ipv6-Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

[100] Framed-Ipv6-Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

[123] Delegated-Ipv6-Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

[188] Ascend-Num-In-Multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

All Tunnel Server Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Juniper Networks Vendor-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 217

[26-1] Virtual-Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

[26-10] Ingress-Policy-Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

[26-11] Egress-Policy-Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

[26-14] Service-Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

[26-15] PCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

[26-16] SCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

[26-17] MBS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

[26-24] Pppoe-Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

[26-35] Acct-Input-Gigapackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

[26-36] Acct-Output-Gigapackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

[26-44] Tunnel-Interface-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

[26-45] Ipv6-Virtual-Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

[26-46] Ipv6-Local-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

[26-47] Ipv6-Primary-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

[26-48] Ipv6-Secondary-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

[26-51] Disconnect-Cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

[26-53] Service-Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

[26-55] DHCP-Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

[26-56] DHCP-MAC-Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

[26-57] DHCP-GI-Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

[26-62] MLPPP-Bundle-Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

[26-63] Interface-Desc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

[26-81] L2C-Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

[26-92] L2C-Up-Stream-Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

[26-93] L2C-Down-Stream-Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

[26-129] Ipv6-NdRa-Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

[26-141] Downstream-Calculated-Qos-Rate . . . . . . . . . . . . . . . . . . . . . 227

[26-142] Upstream-Calculated-Qos-Rate . . . . . . . . . . . . . . . . . . . . . . . 228

[26-143] Max-Clients-Per-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

[26-150] ICR-Partition-Id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

All IPv6 Accounting Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

[26-159] DHCP-Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

ANCP-Related Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

DSL Forum Vendor-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Including or Excluding Attributes in RADIUS Messages . . . . . . . . . . . . . . . . . 234

Ignoring Attributes When Receiving Access-Accept Messages . . . . . . . . . . 234

Chapter 4 Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 237

RADIUS Dynamic-Request Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

RADIUS Dynamic-Request Server Platform Considerations . . . . . . . . . . . . . . . . 238

Table of Contents

RADIUS Dynamic-Request Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

How RADIUS Dynamic-Request Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

RADIUS-Initiated Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Disconnect Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Message Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Supported Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . 240

Qualifications for Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Configuring RADIUS-Initiated Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

RADIUS-Initiated Change of Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Change-of-Authorization Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Message Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Supported Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . 242

Qualifications for Change of Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Configuring RADIUS-Initiated Change of Authorization . . . . . . . . . . . . . . . . . . . . 244

RADIUS Dynamic-Request Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Monitoring RADIUS Dynamic-Request Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Chapter 5 Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

RADIUS Relay Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

RADIUS Relay Server Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 248

RADIUS Relay Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

How RADIUS Relay Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Authentication and Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Terminating the Wireless Subscriber’s Connection . . . . . . . . . . . . . . . . . . . . 250

RADIUS Relay Server and the SRC Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Using the SRC Software for Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Using the SRC Application for Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Configuring RADIUS Relay Server Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Monitoring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Chapter 6 RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

DSL Forum VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Pass Through RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

RADIUS Attributes References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Chapter 7 Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

AAA Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

L2TP Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

PPP Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

RADIUS Client Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Chapter 8 Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Monitoring Override Settings of RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . 303

Monitoring the NAS-Port-Format RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . 304

Monitoring the Calling-Station-Id RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . 305

JunosE 11.3.x Broadband Access Configuration Guide

Monitoring the NAS-Identifier RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . 305

Monitoring the Format of the Remote-Circuit-ID for RADIUS . . . . . . . . . . . . . . . 305

Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS . . . . . 306

Monitoring the Acct-Session-Id RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . 306

Monitoring the DSL-Port-Type RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . 306

Monitoring the Connect-Info RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Monitoring the NAS-Port-ID RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Monitoring Included RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Monitoring Ignored RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Setting the Baseline for RADIUS Dynamic-Request Server Statistics . . . . . . . . . 310

Monitoring RADIUS Dynamic-Request Server Statistics . . . . . . . . . . . . . . . . . . . 310

Monitoring the Configuration of the RADIUS Dynamic-Request Server . . . . . . . . 311

Setting a Baseline for RADIUS Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Monitoring RADIUS Relay Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Monitoring the Configuration of the RADIUS Relay Server . . . . . . . . . . . . . . . . . . 314

Monitoring the Status of RADIUS Relay UDP Checksums . . . . . . . . . . . . . . . . . . 315

Monitoring the Status of ICR Partition Accounting . . . . . . . . . . . . . . . . . . . . . . . . 315

Chapter 9 Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

TACACS+ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

AAA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Administrative Login Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Privilege Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

TACACS+ Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

TACACS+ References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Before You Configure TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Configuring TACACS+ Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Configuring Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Chapter 10 Monitoring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Setting Baseline TACACS+ Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Monitoring TACACS+ Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Monitoring TACACS+ Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Part 3 Managing L2TP

Chapter 11 L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

L2TP Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Implementing L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Packet Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

L2TP Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

L2TP Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Sequence of Events on the LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Sequence of Events on the LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

ERX7xx Models, ERX14xx Models, and the ERX310 Router . . . . . . . . . . . . . 340

E120 Router and E320 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Table of Contents

Sessions and Tunnels Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

L2TP References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Chapter 12 Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

LAC Configuration Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Modifying L2TP LAC Default Settings for Managing Destinations, Tunnels, and

Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Generating UDP Checksums in Packets to L2TP Peers . . . . . . . . . . . . . . . . . . . . 345

Specifying a Destruct Timeout for L2TP Tunnels and Sessions . . . . . . . . . . . . . 346

Preventing Creation of New Destinations, Tunnels, and Sessions . . . . . . . . . . . . 346

Preventing Creation of New Destinations, Tunnels, and Sessions on the

Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Preventing Creation of New Tunnels and Sessions at a Destination . . . . . . 347

Preventing Creation of New Sessions for a Tunnel . . . . . . . . . . . . . . . . . . . . 347

Specifying a Drain Timeout for a Disconnected Tunnel . . . . . . . . . . . . . . . . . 347

Shutting Down Destinations, Tunnels, and Sessions . . . . . . . . . . . . . . . . . . . . . . 347

Closing Existing and Preventing New Destinations, Tunnels, and Sessions

on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Closing Existing and Preventing New Tunnels and Sessions for a

Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Closing Existing and Preventing New Sessions in a Specific Tunnel . . . . . . 348

Closing a Specific Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Specifying the Number of Retransmission Attempts . . . . . . . . . . . . . . . . . . . . . . 349

Configuring Calling Number AVP Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Calling Number AVP 22 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . 353

Configuring the Fallback Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Disabling the Calling Number AVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Mapping a User Domain Name to an L2TP Tunnel Overview . . . . . . . . . . . . . . . 358

Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel

Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel

Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Configuring the RX Speed on the LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Managing the L2TP Destination Lockout Process . . . . . . . . . . . . . . . . . . . . . . . . 365

Modifying the Lockout Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Verifying That a Locked-Out Destination Is Available . . . . . . . . . . . . . . . . . . 367

Configuring a Lockout Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Unlocking a Destination that is Currently Locked Out . . . . . . . . . . . . . . . . . . 367

Starting an Immediate Lockout Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Managing Address Changes Received from Remote Endpoints . . . . . . . . . . . . . 368

Configuring LAC Tunnel Selection Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Configuring the Failover Between Preference Levels Method . . . . . . . . . . . 369

Configuring the Failover Within a Preference Level Method . . . . . . . . . . . . . 370

Configuring the Maximum Sessions per Tunnel . . . . . . . . . . . . . . . . . . . . . . . 371

Configuring the Weighted Load Balancing Method . . . . . . . . . . . . . . . . . . . . 371

Chapter 13 Configuring an L2TP LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

LNS Configuration Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Configuring an LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Creating an L2TP Destination Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

JunosE 11.3.x Broadband Access Configuration Guide

Creating an L2TP Host Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Configuring the Maximum Number of LNS Sessions . . . . . . . . . . . . . . . . . . . . . . 378

Configuring the RADIUS Connect-Info Attribute on the LNS . . . . . . . . . . . . . . . . 379

Overriding LNS Out-of-Resource Result Codes 4 and 5 . . . . . . . . . . . . . . . . . . . . 379

Overriding the Result Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Displaying the Current Override Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Selecting Service Modules for LNS Sessions Using MLPPP . . . . . . . . . . . . . . . . 380

Assigning Bundled Group Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Overriding All Endpoint Discriminators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Enabling Tunnel Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Creating Persistent Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Testing Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Managing L2TP Destinations, Tunnels, and Sessions . . . . . . . . . . . . . . . . . . . . . 383

Configuring Disconnect Cause Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Generating the Disconnect Cause AVP Globally . . . . . . . . . . . . . . . . . . . . . . 384

Generating the Disconnect Cause AVP with a Host Profile . . . . . . . . . . . . . 384

Enabling RADIUS Accounting for Disconnect Cause . . . . . . . . . . . . . . . . . . . 385

Displaying Disconnect Cause Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Configuring the Receive Window Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Configuring the Default Receive Window Size . . . . . . . . . . . . . . . . . . . . . . . 386

Configuring the Receive Window Size on the LAC . . . . . . . . . . . . . . . . . . . . 386

Configuring the Receive Window Size on the LNS . . . . . . . . . . . . . . . . . . . . . 387

Configuring Peer Resynchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Configuring Peer ResynchronizationforL2TP HostProfiles andAAA Domain

Map Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Configuring the Global L2TP Peer Resynchronization Method . . . . . . . . . . . 390

Using RADIUS to Configure Peer Resynchronization . . . . . . . . . . . . . . . . . . . 391

Configuring L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Applying the L2TP Tunnel Switch Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configuring L2TP AVPs for Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Enabling Tunnel Switching on the Router . . . . . . . . . . . . . . . . . . . . . . . 394

Configuring L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . . . . . 394

Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps . . . 395

Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups . . 395

Applying Default L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . 396

Applying L2TP Tunnel Switch Profiles by Using RADIUS . . . . . . . . . . . . 397

Configuring the Transmit Connect Speed Calculation Method . . . . . . . . . . . . . . 397

Transmit Connect Speed Calculation Methods . . . . . . . . . . . . . . . . . . . . . . 398

Static Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Dynamic Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Actual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Transmit Connect Speed Calculation Examples . . . . . . . . . . . . . . . . . . . . . . 399

Example 1: L2TP Session over ATM 1483 Interface . . . . . . . . . . . . . . . . 399

Example 2: L2TP Session over Ethernet VLAN Interface . . . . . . . . . . . 400

Table of Contents

Transmit Connect Speed Reporting Considerations . . . . . . . . . . . . . . . . . . . 401

Session Termination for Dynamic Speed Timeout . . . . . . . . . . . . . . . . . 401

Advisory Speed Precedence for VLANs over Bridged Ethernet . . . . . . . 401

Using AAA Domain Maps to Configure the Transmit Connect Speed

Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Using AAA Tunnel Groups to Configure the Transmit Connect Speed

Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Using AAA Default Tunnel Parameters to Configure the Transmit Connect

Speed Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Using RADIUS to Configure the Transmit Connect Speed Calculation

Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

PPP Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Stateful Line Module Switchover for LNS Sessions . . . . . . . . . . . . . . . . . . . . . . . 406

Chapter 14 Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

L2TP Dial-Out Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Network Model for Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Dial-Out Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Dial-Out Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Outgoing Call Setup Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Access-Request Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Access-Accept Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Outgoing Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Route Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

L2TP Dial-Out Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

L2TP Dial-Out References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Before You Configure L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Monitoring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Chapter 15 L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Chapter 16 Monitoring L2TP and L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Monitoring the Mapping for User Domains and Virtual Routers with AAA . . . . . 425

Monitoring Configured Tunnel Groups with AAA . . . . . . . . . . . . . . . . . . . . . . . . . 428

Monitoring Configuration of Tunnel Parameters with AAA . . . . . . . . . . . . . . . . . 430

Monitoring Global Configuration Status on E Series Routers . . . . . . . . . . . . . . . . 431

Monitoring Detailed Configuration Information for Specified Destinations . . . . . 433

Monitoring Locked Out Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Monitoring Configured Destination Profiles or Host Profiles . . . . . . . . . . . . . . . . 435

Monitoring Configured and Operational Status of all Destinations . . . . . . . . . . . 438

Monitoring Statistics on the Cause of a Session Disconnection . . . . . . . . . . . . . 438

Monitoring Detailed Configuration Information about Specified Sessions . . . . . 439

JunosE 11.3.x Broadband Access Configuration Guide

Monitoring Configured and Operational Summary Status . . . . . . . . . . . . . . . . . . 441

Monitoring Configured Switch Profiles on Router . . . . . . . . . . . . . . . . . . . . . . . . . 441

Monitoring Detailed Configuration Information about Specified Tunnels . . . . . . 442

Monitoring Configured and Operational Status of All Tunnels . . . . . . . . . . . . . . 445

Monitoring Chassis-wide Configuration for L2TP Dial-out . . . . . . . . . . . . . . . . . 446

Monitoring Status of Dial-out Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Monitoring Dial-out Targets within the Current VR Context . . . . . . . . . . . . . . . . . 452

Monitoring Operational Status within the Current VR Context . . . . . . . . . . . . . . 453

Part 4 Managing DHCP

Chapter 17 DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

DHCP Overview Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Session and Resource Control Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

DHCP Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

DHCP References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Configuring the DHCP Access Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Configuring DHCP Proxy Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Logging DHCP Packet Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Viewing and Deleting DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Chapter 18 DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Embedded DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

DHCP Local Server and Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . 465

Equal-Access Mode Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Local Pool Selection and Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . 466

The Connection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Standalone Mode Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Local Pool Selection and Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . 468

Server Management Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

DHCP Local Server Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

DHCP Local Server Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Chapter 19 Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Configuring the DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Basic Configuration of DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Limiting the Number of IP Addresses Supplied by DHCP Local Server . . . . 474

Excluding IP Addresses from Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . 475

Configuring DHCP Local Server to Support Creation of Dynamic Subscriber

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Differentiating Between Clients with the Same Client ID or Hardware

Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Logging Out DHCP Local Server Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . 477

Clearing an IP DHCP Local Server Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

Using SNMP Traps to Monitor DHCP Local Server Events . . . . . . . . . . . . . . 478

Using DHCP Local Server Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

Configuring DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

Basic Configuration of DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . 480

Linking Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Table of Contents

Setting Grace Periods for Address Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Configuring AAA Authentication for DHCP Local Server Standalone Mode . . . . 483

Configuring the DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Deleting DHCPv6 Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Configuring the Router to Work with the SRC Software . . . . . . . . . . . . . . . . . . . . 487

Chapter 20 Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Configuring DHCP Relay and BOOTP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Enabling DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Removing Access Routes from Routing Tables and NVS . . . . . . . . . . . . . . . 492

Treating All Packets as Originating at Trusted Sources . . . . . . . . . . . . . . . . . 493

Assigning the Giaddr to Source IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Protecting Against Spoofed Giaddr and Relay Agent Option Values . . . . . . 493

Using the Broadcast Flag Setting to Control Transmission of DHCP Reply

Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Interaction with Layer 2 Unicast Transmission Method . . . . . . . . . . . . . 495

Preventing DHCP Relay from Installing Host Routes by Default . . . . . . . . . 496

Configuration Example—Preventing Installation of Host Routes . . . . . 496

Including Relay Agent Option Values in the PPPoE Remote Circuit ID . . . . . 497

Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Configuring Layer 2 Unicast Transmission Method for Reply Packets to

DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Using Option 60 Strings to Forward Client Traffic to Specific DHCP

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

ConfigurationExample—UsingDHCP Relay Option 60 toSpecify Traffic

Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Relaying DHCP Packets That Originate from a Cable Modem . . . . . . . . . . . 502

Configuring Relay Agent Option 82 Information . . . . . . . . . . . . . . . . . . . . . . 502

Preventing Option 82 Information from Being Stripped from Trusted Client

Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Configuring Relay Agent Information Option (Option 82) Suboption

Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Format of the JunosE Data Field in the Vendor-Specific Suboption for

Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Using the set dhcp relay agent sub-option Command to Enable Option

82 Suboption Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Configuration Example—Using DHCP Relay Option 82 to Pass IEEE

802.1p Values to DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Using the set dhcp relay agent Command to Enable Option 82

Suboption Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Rate of DHCP Client Packets Processed by DHCP Relay Overview . . . . . . . . . . . 514

Manually Configuring the Maximum Rate of Client Packets Processed Per

Second by DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

Configuring the Rate of Client Packets Processed by DHCP Relay . . . . . . . . . . . . 515

Configuring DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Enabling DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Use the First Offer from a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Set a Timeout for DHCP Client Renewal Messages . . . . . . . . . . . . . . . . . . . . 516

JunosE 11.3.x Broadband Access Configuration Guide

Managing Host Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Selecting the DHCP Server Response . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Behavior for Bound Clients and Address Renewals . . . . . . . . . . . . . . . . 517

Chapter 21 Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 519

DHCP External Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Preservation of Dynamic Subscriber Interfaces with DHCP External Server

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

DHCP External Server Identification of Clients with Duplicate MAC Addresses

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Configuration Guidelines for Using Duplicate MAC Mode . . . . . . . . . . . . . . . 523

Restrictions for Using Duplicate MAC Mode to Manage Clients . . . . . . . . . . 523

DHCP External Server Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . 524

Enabling and Disabling the DHCP External Server Application . . . . . . . . . . . . . . 524

Monitoring DHCP Traffic Between Remote Clients and DHCP Servers . . . . . . . . 524

Synchronizing the DHCP External Application and the Router . . . . . . . . . . . . . . 525

Configuring Interoperation with Ethernet DSLAMs . . . . . . . . . . . . . . . . . . . . . . . . 525

Configuring the DHCP External Server to Support the Creation of Dynamic

Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Configuring DHCP ExternalServerto Control Preservation ofDynamic Subscriber

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP Relay

and DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Deleting Clients from a Virtual Router’s DHCP Binding Table . . . . . . . . . . . . . . . 529

Configuring DHCP External Server to Uniquely Identify Clients with Duplicate

MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic

Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Chapter 22 Monitoring and Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Setting Baselines for DHCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Setting a Baseline for DHCP Relay and Relay Proxy . . . . . . . . . . . . . . . . . . . 534

Setting a Baseline for DHCP Proxy Server Statistics . . . . . . . . . . . . . . . . . . . 534

Setting a Baseline for DHCP External Server Statistics . . . . . . . . . . . . . . . . . 534

Setting a Baseline for DHCP Local Server Statistics . . . . . . . . . . . . . . . . . . . 535

Monitoring Addresses Excluded from DHCP Local Server Use . . . . . . . . . . . . . . 535

Monitoring DHCP Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536

Monitoring DHCP Binding Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536

Monitoring DHCP Binding Count Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

Monitoring DHCP Binding Host Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Monitoring DHCP Bindings (Displaying IP Address-to-MAC Address

Bindings) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Monitoring DHCP Bindings (Displaying DHCP Bindings Based on Binding ID) . . 544

Monitoring DHCP Bindings (Local Server Binding Information) . . . . . . . . . . . . . 545

Monitoring DHCP External Server Configuration Information . . . . . . . . . . . . . . . 546

Monitoring DHCP External Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Monitoring DHCP External Server Duplicate MAC Address Setting . . . . . . . . . . . 548

Monitoring DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Monitoring DHCP Local Server Authentication Information . . . . . . . . . . . . . . . . . 551

Monitoring DHCP Local Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

Table of Contents

Monitoring DHCP Local Server Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

Monitoring DHCP Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Monitoring DHCP Option 60 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

Monitoring DHCP Packet Capture Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

Monitoring DHCP Relay Configuration Information . . . . . . . . . . . . . . . . . . . . . . . 559

Monitoring DHCP Relay Proxy Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

Monitoring DHCP Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562

Monitoring DHCP Server and DHCP Relay Agent Statistics . . . . . . . . . . . . . . . . . 565

Monitoring DHCP Server and Proxy Client Information . . . . . . . . . . . . . . . . . . . . 566

Monitoring DHCPv6 Local Server Binding Information . . . . . . . . . . . . . . . . . . . . . 567

Monitoring DHCPv6 Local Server DNS Search Lists . . . . . . . . . . . . . . . . . . . . . . . 567

Monitoring DHCPv6 Local Server DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 568

Monitoring DHCPv6 Local Server Prefix Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . 568

Monitoring DHCPv6 Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients . . . . . 570

Monitoring the Maximum Number of Available Leases . . . . . . . . . . . . . . . . . . . . . 571

Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Monitoring Status of DHCP Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Subscriber Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Subscriber Management Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . 578

Subscriber Management Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Dynamic IP Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Subscriber Management Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Configuring Subscriber Management with an External DHCP Server . . . . . 580

Subscriber Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

Subscriber Management Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . 588

Username with ATM Circuit Identifier and No Circuit Type . . . . . . . . . . . . . . 589

Username with VLAN Circuit Identifier and Circuit Type . . . . . . . . . . . . . . . 589

Username with MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Chapter 24 Monitoring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Monitoring IP Service Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Monitoring Active IP Subscribers Created by Subscriber Management . . . . . . . . 592

Chapter 25 Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

Subscriber Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

Dynamic Interfaces and Dynamic Subscriber Interfaces . . . . . . . . . . . . . . . 596

Relationship to Shared IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Relationship to Primary IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Ethernet Interfaces and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

Moving Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Preventing IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Policies and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

JunosE 11.3.x Broadband Access Configuration Guide

Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Directing Traffic Toward Special Local Content . . . . . . . . . . . . . . . . . . . 599

Differentiating Traffic for VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600

Subscriber Interfaces Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Interface Specifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

Subscriber Interfaces References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

Dynamic Creation of Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602

DHCP Local Server and Address Allocation . . . . . . . . . . . . . . . . . . . . . . 603

DHCP External Server and Address Allocation . . . . . . . . . . . . . . . . . . . 603

DHCP Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Supported Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Packet Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604

Designating Traffic for the Primary IP Interface . . . . . . . . . . . . . . . . . . . . . . 605

Using Framed Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

Inheritance of MAC Address Validation State for Dynamic Subscriber

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

How MAC Address Validation State Inheritance Works . . . . . . . . . . . . 605

Configuration of MAC Address Validation State Inheritance . . . . . . . . 606

Verification of MAC Address Validation State Inheritance . . . . . . . . . . 606

Configuring Static Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607

Using a Destination Address to Demultiplex Traffic . . . . . . . . . . . . . . . . . . . 607

Using a Source Address to Demultiplex Traffic . . . . . . . . . . . . . . . . . . . . . . . 609

Configuring Dynamic Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613

Configuring Dynamic Subscriber Interfaces over Ethernet . . . . . . . . . . . . . . 614

Configuring Dynamic Subscriber Interfaces over VLANs . . . . . . . . . . . . . . . . 614

Configuring Dynamic Subscriber Interfaces over Bridged Ethernet . . . . . . . 616

Configuring Dynamic Subscriber Interfaces over GRE Tunnels . . . . . . . . . . . 617

Dynamic Subscriber Interface Configuration Example . . . . . . . . . . . . . . . . . 618

Chapter 26 Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Monitoring Subscriber Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Monitoring Active IP Subscribers Created by Subscriber Management . . . . . . . 628

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Service Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Service Manager Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Service Manager References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Service Manager Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635

Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

Referencing Policies in Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

Service Manager Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

Creating Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Managing Your Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

Table of Contents

Referencing QoS Configurations in Service Definitions . . . . . . . . . . . . . . . . . . . . 642

Specifying QoS Profiles in a Service Definition . . . . . . . . . . . . . . . . . . . . . . . 642

Configuring a QoS Profile for Service Manager . . . . . . . . . . . . . . . . . . . 643

Specifying QoS Profiles in a Service Definition . . . . . . . . . . . . . . . . . . . 643

Specifying QoS Parameter Instances in a Service Definition . . . . . . . . . . . . 644

Creating a Parameter Instance in a Profile . . . . . . . . . . . . . . . . . . . . . . . 644

Specifying QoS Parameter Instances in a Service Definition . . . . . . . . 645

Modifying QoS Configurations with Service Manager . . . . . . . . . . . . . . . . . 646

Modifying Parameter Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646

Modifying QoS Configurations in a Single Service Manager Event . . . . 647

Modifying QoS Configurations Using Other Sources . . . . . . . . . . . . . . . 648

Removing QoS Configurations Referenced by Service Manager . . . . . . . . . 649

QoS for Service Manager Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

RADIUS or Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Interoperability with Other Service Components . . . . . . . . . . . . . . . . . 650

QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Configuring the Service Manager License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Managing and Activating Service Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651

Using RADIUS to Manage Subscriber Service Sessions . . . . . . . . . . . . . . . . . . . . 652

Using RADIUS to Activate Subscriber Service Sessions . . . . . . . . . . . . . . . . 653

Service Manager RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653

Using Tags with RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

Using RADIUS to Deactivate Service Sessions . . . . . . . . . . . . . . . . . . . . . . . 657

Setting Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

Using the Deactivate-Service Attribute . . . . . . . . . . . . . . . . . . . . . . . . . 658

Using Mutex Groups to Activate and Deactivate Subscriber Services . . . . . . . . . 658

Activating and Deactivating Multiple Services . . . . . . . . . . . . . . . . . . . . . . . 659

Configuring a Mutex Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Combined andIndependent IPv4 andIPv6 Servicesin a Dual Stack Overview. . 660

Activation and Deactivation of IPv4 and IPv6 Services in a Dual Stack . . . . . . . 662

Independent IPv4 and IPv6 Services in a Dual Stack . . . . . . . . . . . . . . . . . . 662

Combined IPv4 and IPv6 Service in a Dual Stack . . . . . . . . . . . . . . . . . . . . . 662

PerformanceImpact on theRouterand Compatibility with Previous Releases

for an IPv4 and IPv6 Dual Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

Configuring RADIUS Accounting for Service Manager . . . . . . . . . . . . . . . . . . . . . 663

Configuring Service Interim Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664

Service Interim Accounting for IPv4 and IPv6 Services in a Dual Stack

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668

Using the CLI to Manage Subscriber Service Sessions . . . . . . . . . . . . . . . . . . . . 669

Using the CLI to Activate Subscriber Service Sessions . . . . . . . . . . . . . . . . . 669

Preprovisioning Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

Using Service Session Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

Using the CLI to Deactivate Subscriber Service Sessions . . . . . . . . . . . . . . . 675

Gracefully Deactivating Subscriber Service Sessions . . . . . . . . . . . . . . 675

Forcing Immediate Deactivation of Subscriber Service Sessions . . . . . 676

Using Service Session Profiles to Deactivate Service Sessions . . . . . . . 677

JunosE 11.3.x Broadband Access Configuration Guide

Configuring Service Manager Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677

Setting Up the Service Definition File for Statistics Collection . . . . . . . . . . . 677

Enabling Statistics Collection with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 679

Enabling Statistics Collection with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 679

External Parent Group Statistics Collection Setup . . . . . . . . . . . . . . . . . . . . 680

Service Manager Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

Service Definition Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682

Tiered Service Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682

Video-on-Demand Service Definition Example . . . . . . . . . . . . . . . . . . . . . . 683

Voice-over-IP Service Definition Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 683

Guided Entrance Service Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684

Guided Entrance Service Definition Example . . . . . . . . . . . . . . . . . . . . . 685

Using CoA Messages with Guided Entrance Services . . . . . . . . . . . . . . 686

Configuring the HTTP Local Server to Support Guided Entrance . . . . . 687

Combined IPv4 and IPv6 Service in a Dual Stack Example . . . . . . . . . . . . . 692

Chapter 28 Monitoring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697

Setting a Baseline for HTTP Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . 697

Monitoring the Connections to the HTTP Local Server . . . . . . . . . . . . . . . . . . . . 698

Monitoring the Configuration of the HTTP Local Server . . . . . . . . . . . . . . . . . . . 698

Monitoring Statistics for Connections to the HTTP Local Server . . . . . . . . . . . . 699

Monitoring Profiles for the HTTP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

Monitoring the Default Interval for Interim Accounting of Services . . . . . . . . . . . 701

Monitoring the Status of the Service Manager License . . . . . . . . . . . . . . . . . . . . . 701

Monitoring Profiles for Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

Monitoring IPv4 and IPv6 Interfaces for Service Manager . . . . . . . . . . . . . . . . . . 703

Monitoring Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

Monitoring Service Session Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714

Monitoring Active Owner Sessions with Service Manager . . . . . . . . . . . . . . . . . . . 715

Monitoring Active Subscriber Sessions with Service Manager . . . . . . . . . . . . . . . 718

Monitoring the Number of Active Subscriber and Service Sessions with

Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Part 7 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

List of Figures

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 1: Local Address Pool Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 2: Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Figure 3: Single PPP Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . 59

Figure 4: Multiple PPP Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . 60

Part 2 Managing RADIUS and TACACS+

Chapter 4 Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 237

Figure 5: Sample Remote Access Network Using RADIUS . . . . . . . . . . . . . . . . . . 238

Chapter 5 Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Figure 6: RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Part 3 Managing L2TP

Chapter 11 L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Figure 7: Using the E Series Router as an LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Figure 8: Using the E Series Router as an LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Chapter 12 Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Figure 9: Lockout States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Chapter 14 Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Figure 10: Network Model for Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Part 4 Managing DHCP

Chapter 18 DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Figure 11: Non-PPP Equal Access via the Router . . . . . . . . . . . . . . . . . . . . . . . . . 468

Chapter 19 Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Figure 12: Non-PPP Equal-Access Configuration Example . . . . . . . . . . . . . . . . . 488

Chapter 20 Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Figure 13: Passing 802.1p Values to the DHCP Server . . . . . . . . . . . . . . . . . . . . . 509

Chapter 21 Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 519

Figure 14: DHCP External Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

JunosE 11.3.x Broadband Access Configuration Guide

Figure 15: DHCP External Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Chapter 25 Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595

Figure 16: Example of a Dynamic Interface Stack . . . . . . . . . . . . . . . . . . . . . . . . 596

Figure 17: Example of a Dynamic Subscriber Interface . . . . . . . . . . . . . . . . . . . . . 597

Figure 18: Subscriber Interfaces over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

Figure 19: Subscriber Interfaces in a Cable Modem Network . . . . . . . . . . . . . . . 600

Figure 20: Associating Subnets with a VPN Using Subscriber Interfaces . . . . . . 601

Figure 21: IP over Ethernet Dynamic Subscriber Interface Configuration . . . . . . 604

Figure 22: Subscriber Interfaces Using a Destination Address to Demultiplex

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Figure 23: Subscriber Interfaces Using a Source Address to Demultiplex

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration . . . . . . . 614

Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

Figure 26: IP over Bridged Ethernet over ATM Dynamic Subscriber Interface

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

Figure 27: GRE Tunnel Dynamic Subscriber Interface Configuration . . . . . . . . . . 618

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Figure 28: Service Manager Configuration Flowchart . . . . . . . . . . . . . . . . . . . . . . 637

Figure 29: Sample Service Definition Macro File . . . . . . . . . . . . . . . . . . . . . . . . . 640

Figure 30: QoS Configuration Dependency Chain . . . . . . . . . . . . . . . . . . . . . . . . 649

Figure 31: Comparing RADIUS Login and RADIUS CoA Methods . . . . . . . . . . . . . 652

Figure 32: Guided Entrance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

Figure 33: Input Traffic Flow with Rate-Limit Profile on an External Parent Group

for a Combined IPv4/IPv6 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693

Figure 34: Output Traffic Flow with Rate-Limit Profile on an External Parent

Group for a Combined IPv4/IPv6 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 693

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 3: Username and Domain Name Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Table 4: Local UDP Port Ranges by RADIUS Request Type . . . . . . . . . . . . . . . . . . 19

Table 5: RADIUS IETF Attributes in Preauthentication Request . . . . . . . . . . . . . . . 75

Table 6: VSAs That Apply to Dynamic IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 79

Table 7: Traffic-Shaping VSAs That Apply to Dynamic IP Interfaces . . . . . . . . . . . 81

Table 8: Supported RADIUS Acct-Terminate-Cause Codes . . . . . . . . . . . . . . . . . . 82

Table 9: RADIUS Attributes Specifying LAG Interface . . . . . . . . . . . . . . . . . . . . . . 92

Table 10: SRC Client and COPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Chapter 2 Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . . 111

Table 11: show aaa accounting Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Table 12: show aaa accounting vr-group Output Fields . . . . . . . . . . . . . . . . . . . . . 116

Table 13: show aaa domain-map Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Table 14: show aaa profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Table 15: show aaa route-download Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 122

Table 16: show aaa route-download routes Output Fields . . . . . . . . . . . . . . . . . . 124

Table 17: show aaa route-download routes global Output Fields . . . . . . . . . . . . . 125

Table 18: show aaa statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Table 19: show configuration category aaa global-attributes Output Fields . . . . 130

Table 20: show configuration category aaa local-authentication Output

Table 21: show configuration category aaa server-attributes include-defaults

Table 22: show cops info Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Table 23: show cops statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Table 24: show ip local alias Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Table 25: show ip local pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Table 26: show ip local shared-pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . 140

Table 27: show radius override Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Table 28: show radius servers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Table 29: show radius statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Table 30: show sscc info Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Table 31: show sscc statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Table 32: show subscribers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

JunosE 11.3.x Broadband Access Configuration Guide

Table 33: show terminate-code Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 34: show ipv6 local pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Table 35: show ipv6 local pool poolName Output Fields . . . . . . . . . . . . . . . . . . . 162

Table 36: show ipv6 local pool statistics Output Fields . . . . . . . . . . . . . . . . . . . . 164

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Table 37: AAA Access Message RADIUS IETF Attributes Supported . . . . . . . . . . 170

Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs

Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Table 39: AAA Accounting Message RADIUS IETF Attributes Supported . . . . . . . 179

Table 40: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs

Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Table 41: AAA Accounting Tunnel Message RADIUS Attributes Supported . . . . . 185

Table 42: DSL Forum (Vendor ID 3561) VSAs Supported in AAA Access and

Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Table 43: CLI AAA Access Message RADIUS Attributes Supported . . . . . . . . . . . 187

Table 44: ANCP (L2C)-Related Keywords for radius include Command . . . . . . . 231

Chapter 4 Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 237

Table 45: Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . . . . . 240

Table 46: Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . . . . . 242

Chapter 5 Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Table 47: Required RADIUS Access-Request Attributes . . . . . . . . . . . . . . . . . . . 249

Table 48: Required RADIUS Accounting Attributes . . . . . . . . . . . . . . . . . . . . . . . 250

Chapter 6 RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Table 49: RADIUS IETF Attributes Supported by JunosE Software . . . . . . . . . . . 255

Table 50: Juniper Networks (Vendor ID 4874) VSA Formats . . . . . . . . . . . . . . . . 262

Table 51: JunosE Software DSL Forum (Vendor ID 3561) VSA Formats . . . . . . . . 273

Table 52: RADIUS Attribute Passed Through by JunosE Software . . . . . . . . . . . . 274

Chapter 7 Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Table 53: Default AAA Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Table 54: Default L2TP Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Table 55: Default PPP Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Table 56: Default RADIUS Client Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Chapter 8 Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Table 57: show radius override Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Table 58: show radius attributes-included Output Fields . . . . . . . . . . . . . . . . . . 309

Table 59: show radius dynamic-request statistics Output Fields . . . . . . . . . . . . . 311

Table 60: show radius dynamic-request servers Output Fields . . . . . . . . . . . . . . 312

Table 61: show radius relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . 313

Table 62: show radius relay servers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 314

Table 63: show radius relay udp-checksum Output Fields . . . . . . . . . . . . . . . . . . 315

Chapter 9 Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Table 64: TACACS-Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Table 65: TACACS+ Accounting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

+ 756 hidden pages

Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12, JUNOSE 11.3 Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual