Routing

Expand all | Collapse all

Controlling PPP Users

Jump to Best Answer
  • 1.  Controlling PPP Users

     
    Posted 10-31-2017 03:42

    Hi,

     

    Having searched on google, I am struggling to find documentation to help with the configuration of what PPP users can and cannot do.

     

    For example, do I control it from the LNS? Do I control it from the RADIUS (FreeRADIUS)...... Having looked at the VSA's for freeradius I do not think I can control routing, which LNS to use, Bandwidth etc etc from the freeradius box..... so, is there a document somewhere, from Juniper, that shows how to do this via the LNS please?

     

    Thanks



  • 2.  RE: Controlling PPP Users

     
    Posted 10-31-2017 04:25

    Hi,

     

    I believe you're looking for the servcies that can be provided to PPP subscribers terminating on LNS.

     

    You can refer following document.

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-dynamic-firewall-filter-overview.html

    https://www.juniper.net/documentation/en_US/junos/topics/reference/general/aaa-subscriber-access-radius-vsa.html

    https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-radius-coa-overview.html

     

    You need both radius and MX for controlling the subscribers. Example : Assigning special bandwdith quota to subscribers.

     

    On MX

     

    Configure FW filter under dynamic-profile. Here i am using variable as value will be assigned from radius.


                family inet {
                    filter {
                        input $junos-input-filter;
                        output $junos-output-filter;
                    }

    DefineFW filter and policer under the FW Stanza.

     

    firewall {
        family inet {
            filter 12M {
                interface-specific;
                term 1 {
                    then {
                        policer 12M;
                        service-accounting;
                        service-filter-hit;
                        accept;
                    }
                }
            }
        }
        policer 12M {
            filter-specific;
            logical-interface-policer;
            if-exceeding {
                bandwidth-limit 12m;
                burst-size-limit 3m;
            }
            then discard;
        }
    }

     

    From radius return the attribute for subscriber during authentication phase.

     

    test     Cleartext-Password := "test"
             ERX-Ingress-Policy-Name = "12M",
             ERX-Egress-Policy-Name = "12M",

     

    Please let me the specific services you're looking so i can help you better 🙂

     

    Regards,

    Rahul N



  • 3.  RE: Controlling PPP Users

     
    Posted 10-31-2017 05:00

    Hi Rahul,

     

    As always, thank you for the information:

     

    We are using L2TP and PPP for authenticaiton, but I have been given a remit for our RADIUS or LNS to define customer requirements (this is a small ISP I am designing and configuring, but for approxiamtely 16,000 customers).....

     

    Requirements can be, but not limited to:

    Routing options (what route the customer must use)

    QoS or CoS (Bandwidth attributes)

    What LNS (we have 2) should we inform the LAC the customer should use

    Static IPv6 and IPv4 Address assignment to CPE ( We will supply fully managed CPE to customer)

     

    Without sitting around a table with the Directors, I cannot say exactly what we will require, but the above is a definate.

     

    Thank you Rahul...



  • 4.  RE: Controlling PPP Users

     
    Posted 10-31-2017 05:59

    Hi,

    You need to modify the dynamic-profile to support  CoS and IPv6.

    I assume you will be using NDRA and DHCPv6 PD [WAN and LAN]

     

    For CoS, you need below attribute to be pushed from radius.

     

    test    Cleartext-Password := "test"
            ERX-CoS-Shaping-Pmt-Type += "T01 SCHEDULER-MAP-TEST",
            ERX-CoS-Shaping-Pmt-Type += "T02 20m"

     

    LNS# show dynamic-profiles dyn-lns-profile | no-more
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-interface-unit" {
                dial-options {
                    l2tp-interface-id l2tp-encapsulation;
                }
                family inet {
                    unnumbered-address "$junos-loopback-interface";
                }
                family inet6 {
                    unnumbered-address "$junos-loopback-interface";
                }
            }
        }
    }
    protocols {
        router-advertisement {
            interface "$junos-interface-name" {
                prefix $junos-ipv6-ndra-prefix;
            }
        }
    }
    class-of-service {
        traffic-control-profiles {
            TEST {
                scheduler-map "$junos-cos-scheduler-map";
                shaping-rate "$junos-cos-shaping-rate";
            }
        }
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    output-traffic-control-profile TEST;
                }
            }
        }
        scheduler-maps {
            SCHEDULER-MAP-TEST {
                forwarding-class BE scheduler SCHEDULER-BE;
                forwarding-class NC scheduler SCHEDULER-NC;
                forwarding-class AF scheduler SCHEDULER-AF;
                forwarding-class EF scheduler SCHEDULER-EF;
            }
        }
        schedulers {
            SCHEDULER-BE {
                transmit-rate percent 30;
                priority low;
            }
            SCHEDULER-AF {
                transmit-rate percent 20;
                priority high;
            }
            SCHEDULER-NC {
                transmit-rate percent 20;
                priority high;
            }
            SCHEDULER-EF {
                shaping-rate percent 30 burst-size 2k;
                priority strict-high;
            }
        }
    }

     

    DHCPv6 PD

     

    LNS# show system services
    dhcp-local-server {
        dhcpv6 {
            overrides {
                process-inform;
            }
            group DHCPv6_LOCAL {
                overrides {
                    delegated-pool PD;
                }
                interface si-0/0/0.0;
            }
        }

     

    ACCESS

     

    {master}[edit access]
    LNS# show
     address-assignment {
        neighbor-discovery-router-advertisement NDRA;
        pool PD {
            family inet6 {
                prefix XXX:XXXX:YYYY::/48;
                range 2 prefix-length 64;
            }
        }
        pool NDRA {
            family inet6 {
                prefix XXX:YYYY:ZZZZ::/48;
                range p1 prefix-length 64;
            }
        }
    }

     

    NOTE: NDRA/PD can be assigned fby radius like we assign framed-address for IPv4.

     

    For choosing LNS from LAC, LAC can use username,domain-map etc. It depends what LAC want to use.

     

    Routing-option part is not cleared. For every subscriber there will be access-internal route created. Can you please explain in brief?

     

    Regards,

    Rahul N



  • 5.  RE: Controlling PPP Users

     
    Posted 10-31-2017 09:12

    Hi Rahul

     

    Thank you for the help again and the config. I'm really sorry but I will not be able to impliment and test this until tomorrow, but I will let you know the results. Again, very kind of you and thank you.



  • 6.  RE: Controlling PPP Users

     
    Posted 11-02-2017 01:47

    Hi Rahul,

     

    Many apologies. I had forgotten I had a holiday yesterday...... will attempt to test today and let you know the results.


    With regards to the seciton that says the RADIUS must push out the following:

     

    test                  Cleartext-Password := "test"

                             ERX-CoS-Shaping-Pmt-Type += "T01 SCHEDULER-MAP-TEST",

                             ERX-CoS-Shaping-Pmt-Type += "T02 20m"

     

    Is that placed in the NAS entry in clients.conf on the RADIUS server under /etc/raddb ?

     

    Also, the LAC will have no option with choosing the LNS. We have to supply the LAC with that information.... but from where?

     

    Routing : I think I can work that seciton out as we go along. The big problem at the moment is that I only have the following (as a complete test and connected to nothing external):

     

    Cisco 1841 (PPP Client) --> Cisco 1841 (LAC) --> Juniper MX240 (LNS) --> Juniper MX240 (Core) --> Juniper SRX1500 (Basic any any any rule base currently) --> RADIUS

     

    So, we do not have any access to any external wholesale ISP. Once the equipment is in situ then we can test fully the implimentations.

     

    Thanks

     



  • 7.  RE: Controlling PPP Users
    Best Answer

     
    Posted 11-02-2017 03:19

    Hi,

     

    NAS should be defined under clients.conf

    client XX.XX.XX.XX  {
            secret  = XXXXX
            shortname = MX104
    }

     

    Attribute should be defined under file users.

     

    test                  Cleartext-Password := "test"

                             ERX-CoS-Shaping-Pmt-Type += "T01 SCHEDULER-MAP-TEST",

                             ERX-CoS-Shaping-Pmt-Type += "T02 20m"

     

    Both the files is under /etc/raddb.

     

    LAC can use username, domain-map to choose LNS as mentioned earlier.

     

    Regards,

    Rahul N



  • 8.  RE: Controlling PPP Users

    Posted 03-07-2018 11:48

    Hello,

     

    How do I control the bandwidth of pppoe clients in dual-stack IPv4 / IPv6?
    I tested its configuration and only IPv4 was controlled.