Switching

Expand all | Collapse all

Radius & routing-instance

  • 1.  Radius & routing-instance

    Posted 02-20-2018 00:15

    Hi,

     

    Does anyone have a working configuration with Radius and routing-instances?

    I have tried to use a lo0 interface instead of vlan interface that is in the routing-instance and have that as source for the radius-request but I still don't get it to work.

     

    I have found this discussion earlier and I wonder if anyone knows anything about the routing-instance feature for Radius.

    I am running version 12.3R11.2

     

    https://forums.juniper.net/t5/Ethernet-Switching/access-radius-server/td-p/283355



  • 2.  RE: Radius & routing-instance

     
    Posted 02-20-2018 00:32

     

    Do you have reachabilty from Routing-Instance to Radius Server?

     

     

     

     

     



  • 3.  RE: Radius & routing-instance

    Posted 02-20-2018 00:37

    Hi Karand!

    Yes I do

     

    set system radius-server 10.7.163.16 source-address 192.168.117.1

    ping 10.7.163.16 routing-instance ABC
    PING 10.7.163.16 (10.7.163.16): 56 data bytes
    64 bytes from 10.7.163.16: icmp_seq=0 ttl=120 time=14.779 ms
    64 bytes from 10.7.163.16: icmp_seq=1 ttl=120 time=16.117 ms
    64 bytes from 10.7.163.16: icmp_seq=2 ttl=120 time=14.720 ms
    --- 10.7.163.16 ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 14.720/15.205/16.117/0.645 ms



  • 4.  RE: Radius & routing-instance

     
    Posted 02-20-2018 00:51

    In MX, we have option to call the access-profile in routing-instance, but in EX, the options are limited. 

    Have you tried to call the routing-instance in access?

     

    labroot@EX42SW# show | compare
    [edit]
    + access {
    + radius-server {
    + x.x.x.x {
    + port 1812;
    + secret "$9$ypPrWxbwgJUH24"; ## SECRET-DATA
    + source-address x.x.x.x;
    + routing-instance testA;
    + }
    + }
    + }
    + }

     



  • 5.  RE: Radius & routing-instance

    Posted 02-20-2018 01:25

    Hi,

     

    Yes I have tried it and I get this log

     

    Feb 20 10:23:09 SW1 sshd[285]: sendmsg to 10.7.163.16(10.7.163.16).1812: h->try:0 serv->num_tries:0, serv->max_tries:3 tries_per_addr:3, nleft:3, cur_addr:0

    Feb 20 10:23:09 SW1 sshd[285]: sendmsg to 10.7.163.16(10.7.163.16).1812 failed: No route to host
    Feb 20 10:23:09 SW1 sshd[285]: rad_send_request: Tried all servers unsucessfully
    Feb 20 10:23:09 SW1 sshd[285]: auth server unresponsive



  • 6.  RE: Radius & routing-instance

     
    Posted 02-20-2018 02:50

    Can you verify reachability from the assigned source address.

     

    set system radius-server 10.7.163.16 source-address 192.168.117.1

    ping 10.7.163.16 source 192.168.117.1

     



  • 7.  RE: Radius & routing-instance

    Posted 02-20-2018 04:12

    This switch has 4 different routing instances configured and I can't ping anything if I don't specify which routing-instance I should use

    set interfaces vlan unit 117 family inet address 192.168.117.1/24

    set routing-instances ABC interface vlan.117

    set system radius-server 10.7.163.16 secret xxx

    set system radius-server 10.7.163.16 source-address 192.168.117.1

     

    Since there is no option to add "routing-instance ABC" after source address in system radius-server it will not seem to work

    I would like to do this > set system radius-server 10.7.163.16 source-address 192.168.117.1 routing-instance ABC

     

    root@SW1> ping 10.7.163.16
    PING 10.7.163.16 (10.7.163.16): 56 data bytes
    ping: sendto: No route to host
    ping: sendto: No route to host
    --- 10.7.163.16 ping statistics ---
    2 packets transmitted, 0 packets received, 100% packet loss


    root@SW1> ping 10.7.163.16 routing-instance ABC
    PING 10.7.163.16 (10.7.163.16): 56 data bytes
    64 bytes from 10.7.163.16: icmp_seq=0 ttl=120 time=15.004 ms
    64 bytes from 10.7.163.16: icmp_seq=1 ttl=120 time=14.632 ms
    --- 10.7.163.16 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 14.632/14.818/15.004/0.186 ms



  • 8.  RE: Radius & routing-instance

     
    Posted 02-20-2018 04:22
    Did some research on this and found that EX currently do not support radius reachability via routing-instance.
    It supports only through the default-routing-instance. A workaround here would to be do route leak.


  • 9.  RE: Radius & routing-instance

    Posted 02-20-2018 04:23

    Ah okey do you have any suggestions on how to make a default-routing-instance configuration or route leak?



  • 10.  RE: Radius & routing-instance

     
    Posted 02-20-2018 05:06
    For instance: PC/Radius server (10.10.10.5) (Vlan 10)-------Layer 2 switch=====Trunk(ae0)====EX4600(layer 3)

    IRB.10: 10.10.10.1
    IRB.20: 20.20.20.1
    IRB.30: 30.30.30.1

    - Create three IRB that is IRB.10, IRB20 and IRB30 which is in routing instance:

    set vlans V10 vlan-id 10
    set vlans V10 l3-interface irb.10
    set vlans V20 vlan-id 20
    set vlans V20 l3-interface irb.20
    set vlans V30 vlan-id 30
    set vlans V30 l3-interface irb.30

    set routing-instances Test instance-type virtual-router
    set routing-instances Test interface irb.10
    set routing-instances Test interface irb.20
    set routing-instances Test interface irb.30
    set routing-instances Test routing-options interface-routes rib-group inet group1

    - Imported the routes inet.0 to routing instance Test.

    set routing-options interface-routes rib-group inet group1
    set routing-options rib-groups group1 import-rib inet.0
    set routing-options rib-groups group1 import-rib Test.inet.0

    - Loopback interface which is a part of inet.0

    set interfaces lo0 unit 0 family inet address 1.1.1.1/24

    - The routing table shows like this:

    root@jtac# run show route

    inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:58:18
    > to 10.219.43.1 via em0.0
    1.1.1.0/24 *[Direct/0] 06:09:20
    > via lo0.0
    1.1.1.1/32 *[Local/0] 06:09:20
    Local via lo0.0
    10.10.10.0/24 *[Direct/0] 00:48:08
    > via irb.10
    10.10.10.1/32 *[Local/0] 00:48:08
    Local via irb.10
    10.219.43.0/26 *[Direct/0] 00:57:04
    > via em0.0
    10.219.43.12/32 *[Local/0] 00:57:04
    Local via em0.0
    20.20.20.0/24 *[Direct/0] 04:34:49
    > via irb.20
    20.20.20.1/32 *[Local/0] 04:34:49
    Local via irb.20
    30.30.30.0/24 *[Direct/0] 04:34:49
    > via irb.30
    30.30.30.1/32 *[Local/0] 04:34:49
    Local via irb.30

    Test.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    1.1.1.0/24 *[Direct/0] 04:41:22
    > via lo0.0
    1.1.1.1/32 *[Local/0] 04:41:22
    Local via lo0.0
    10.10.10.0/24 *[Direct/0] 00:48:08
    > via irb.10
    10.10.10.1/32 *[Local/0] 00:48:08
    Local via irb.10
    20.20.20.0/24 *[Direct/0] 05:48:05
    > via irb.20
    20.20.20.1/32 *[Local/0] 05:52:50
    Local via irb.20
    30.30.30.0/24 *[Direct/0] 05:48:05
    > via irb.30
    30.30.30.1/32 *[Local/0] 05:52:50
    Local via irb.30

    - Configured Radius server details on switch & ensure what IP you specify on RADIUS Server for EX as client.

    set system radius-server 10.10.10.5 secret "$9$0ERa1EyM87s2alK2aZU.mO1R"
    set system radius-server 10.10.10.5 source-address 1.1.1.1 >>>>>>>>loopback address



    Another workaround would be to connect back-2-back interface creating a loop.

    Loop 2 interfaces, one of the interfaces was configured under the Master/default instance with an ip address on X subnet for example say (10.0.0.1/30), and the other one was set the same way (10.0.0.2/30), but it was configured under the routing-Instance(XYZ). The idea behind this is to send the traffic to the routing instance, through the physical looped interface, so an static route pointing to the Radius server IP configured as follows:

    set routing-options static route


  • 11.  RE: Radius & routing-instance

     
    Posted 02-20-2018 05:17

    @karand's solution and information is correct, but if ALL you want to be able to do is reach the radius server, configured in default VR (inet.0), and keep all other traffic separated between the VRs (I assume you have some sort of external device/FW that allows some traffic between VRs) then all you need to do is add a static route(s) to the radius server(s) in each VR which could actually be a /32 host route.

     

    Hopefully this makes sense to you, and is probably much easier than route leaking, if indeed this is the only route (besides their own) that each VR needs.



  • 12.  RE: Radius & routing-instance

    Posted 02-20-2018 06:27

    @karand & @rccpgm

     

    Thank you so much for the assistance and help. I will try and build an appropriate configuration and try the solution and get back to you how everything went.

     

    But for now, many thanks and have a great tuesday! 🙂