Routing

Expand all | Collapse all

Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

Jump to Best Answer
  • 1.  Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 02-28-2019 01:48

    Hello everyone.

    I`m setting up dual-stacked subscribers on my MX box. Subscriber must be placed in SUBSCRIBERS routing-instance.

    As for now everything is working, but when i face dual-stacked suscribers i got behavior which i dont know is it ok or not.

    Group for interface:

    interfaces {
        <*> {
            description "SUBSCRIBERS ACCESS";
            no-traps;
            flexible-vlan-tagging;
            auto-configure {
                stacked-vlan-ranges {
                    dynamic-profile MAIN-WITH-RPF-CHECK {
                        accept [ dhcp-v4 dhcp-v6 ];
                        ranges {
                            4000-4020,2200-4000;
                        }
                    }
                }
                remove-when-no-subscribers;
            }
            mtu 9192;
            encapsulation flexible-ethernet-services;
        }
    }
    

    Dynamic-profile for configuring interface:

    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
        }
    }
    interfaces {
        demux0 {
            no-traps;
            interface-mib;
            unit "$junos-interface-unit" {
                demux-source [ inet inet6 ];
                no-traps;
                proxy-arp unrestricted;
                vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                demux-options {
                    underlying-interface "$junos-underlying-interface";
                }
                family inet {
                    rpf-check fail-filter rpf-pass-dhcp;
                    mtu 1500;
                    unnumbered-address "$junos-loopback-interface";
                }
                family inet6 {
                    mtu 1500;
                    unnumbered-address "$junos-loopback-interface";
                }
            }
        }
    }
    protocols {
        router-advertisement {
            interface "$junos-interface-name" {
                max-advertisement-interval 900;
                min-advertisement-interval 300;
                managed-configuration;
                other-stateful-configuration;
            }
        }
    }
    

    And finally profile for DHCP server:

    predefined-variable-defaults {
        routing-instances SUBSCRIBERS;
    }
    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
        }
    }
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-underlying-interface-unit" {
                family inet {
                    unnumbered-address "$junos-loopback-interface";
                }
                family inet6 {
                    unnumbered-address "$junos-loopback-interface";
                }
            }
        }
    }
    

    Everything works ok, but first session (inet or inet6) authorizes in default RI and subs is paced in SUBSCRIBERS RI. All radius packets are coming from NAS_IP that is configured for default RI. This is ok. Next session (inet or inet6) is authorized in SUBSCRIBERS RI and NAS_IP for this session is one that configured for SUBSCRIBERS RI. So i got situation when two sessions (inet,inet6) for one subscriber  are coming from one box but from different NAS ips. This is ok in generall, but maybe i`m doing something wrong and there is better way to do this. Problem is that i cannot use single-session dual-stack (which will solve my "problem") right now, so inet and inet6 should come as different sessions



  • 2.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)
    Best Answer

     
    Posted 03-01-2019 05:29

    Hi smelnik,

     

    Think you could have the Radius VSA attribute# 26-25 and name "Redirect-LSRI-Name" configured on the Radius Server to help.

    https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-solution-wholesale-vsa-config-overview.html

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).

     

     



  • 3.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-01-2019 09:01

    Hello.

    Thanks for reply. Itried this method and it works well, no as expected:

    I got auth from different RI, bu twith this VSA interim-updates are coming from specified RI and coa updates should be sent to nas ip in nas ip of RI specified in 26-25 VSA.

    Many thanks again, but i got to move to Single-session dual-stack mode 🙂



  • 4.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-01-2019 13:54

    I`ve found solution.

    I used domain map feature with domain default:

     show access domain
    map default {
        target-routing-instance SUBSCRIBERS;
    }
    

    And it worked.

    But there is another problem:

    unnumbered-address configured NONE for DHCP dynamic-profile.

    IP-DHCPv4-DHCPv6 {
        predefined-variable-defaults {
            routing-instances {
                SUBSCRIBERS;
            }
        }
        routing-instances {
            SUBSCRIBERS {
                interface demux0.3221225741;
            }
        }
        interfaces {
            demux0 {
                unit 3221225741 {
                    family {
                        inet {
                            unnumbered-address NONE;
                        }
                        inet6 {
                            unnumbered-address NONE;
                        }
                    }
                }
            }
        }
    }
    


  • 5.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-03-2019 22:55

    Ok, i managed to make thing work almost as expected.

    I moved subscriber with the help of dynamic profile to another demux interface.

    This is dhcp profile that i use:

    predefined-variable-defaults {
        routing-instances SUBSCRIBERS;
    }
    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
        }
    }
    interfaces {
        demux0 {
            no-traps;
            unit "$junos-interface-unit" {
                demux-options {
                    underlying-interface "$junos-underlying-interface";
                }
                family inet {
                    rpf-check fail-filter rpf-pass-dhcp;
                    unnumbered-address "$junos-loopback-interface";
                }
                family inet6 {
                    unnumbered-address "$junos-loopback-interface";
                }
            }
        }
    }
    protocols {
        router-advertisement {
            interface "$junos-interface-name" {
                max-advertisement-interval 900;
                min-advertisement-interval 300;
                managed-configuration;
                other-stateful-configuration;
            }
        }
    }
    

    Interface profile now looks like this:

    interfaces {
        demux0 {
            no-traps;
            interface-mib;
            unit "$junos-interface-unit" {
                demux-source [ inet inet6 ];
                no-traps;
                proxy-arp unrestricted;
                vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                demux-options {
                    underlying-interface "$junos-underlying-interface";
                }
                family inet {
                    rpf-check fail-filter rpf-pass-dhcp;
                    mtu 1500;
                }
                family inet6 {
                    mtu 1500;
                }
            }
        }
    }
    

    And i moved to dual-stack single-session.

    Subs auth looks loke this:

    demux0.3221225521     0x8100.4008 0x8100.3000                                           default:default
    demux0.3221225522     10.200.72.154                           DS&ge-0/1/2:4008-3000       default:SUBSCRIBERS
    *                     2a00:f440:a:3::fbf
    *                     2a00:f440:a:8fbf::/64
    

    There is lo0.1 in generated profile for subscriber session as expected.

    But inet6 not working. I checked and found that ND is still working on demux0.3221225521, but not on interface configured for subscriber (demux0.3221225522)

    run show ipv6 neighbors
    IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
    fe80::66d1:54ff:fee6:d5f7    64:d1:54:e6:d5:f7  reachable   0   no  no      demux0.3221225521
    2a00:f440:a:3::fbf           64:d1:54:e6:d5:f7  reachable   0   no  no      demux0.3221225522
    

    So is there a way to solve this puzzle, or just forget about it and live with NONE in subscribers generated dynamic-profile? 🙂



  • 6.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

     
    Posted 03-04-2019 01:57

    Hello,

     

    I understand that your Radius is reachable via the default RI, but it's not clear where you'd like to put your IPv4 and IPv6 subscribers - should they both be in SUBSCRIBERS RI, or IPv4 in default and IPv6 in SUBSCRIBERS?

    I'm pretty sure there is a way to make it work, but let's clarify how you want it to work first.

     

    Best regards,

    Sergii

     



  • 7.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-04-2019 02:06

    Hello Sergii.

    Yes, i`m trying to put dual-stacked subscriber into RI.

    both inet and inet6 should be both in SUBSCRIBERS routing-instance.



  • 8.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

     
    Posted 03-04-2019 02:20

    Hi smelnik,

     

    Could you please try to remove the demux options once and try?

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).



  • 9.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-04-2019 02:40

    Hello.

    Should i remove it in DHCP dynamic profile or interface?



  • 10.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

     
    Posted 03-04-2019 02:47
    Hi smelnik,

    No, just remove the demux options. Don't think that's needed with dynamic-profile.

    Regards,

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 11.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-04-2019 03:47

    Removed demux-options.

    Didnt helped 😞 Still ipv6 resources not reachable for subscriber.



  • 12.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

     
    Posted 03-04-2019 06:09

    It should be a very peculiar service model if you need to authenticate IPv4 and IPv6 sessions from the same CPE separately. In any case, the following configuration works in my lab and fits your requirements (Radius is reachable in the default RI, both IPv4 and IPv6 sessions are authenticated separately and placed in SUBSCRIBERS RI) - I added complete configuration for the sake of other users.

    The idea is to put dynamic vlan into SUBSCRIBERS RI, and use aaa-routing-instance command (you can refer https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/subscriber-management-domain-aaa-logical-system.html😞

    set access domain map default aaa-routing-instance default

    If it works for you, please mark this post as "Accepted Solution".

    root@vmx1> show subscribers
    Interface             IP Address/VLAN ID                      User Name                      LS:RI
    demux0.3221225485     0x8100.1 0x8100.1                       vlan                      default:SUBSCRIBERS
    demux0.3221225485     10.10.1.6                               dhcpv4                    default:SUBSCRIBERS
    demux0.3221225485     fd01:1000:1000:1000::4                  dhcpv6                    default:SUBSCRIBERS
    
    root@vmx1> show ipv6 neighbors
    IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
    fe80::24cc:e4ff:fe3c:0       26:cc:e4:3c:00:00  reachable   0   no  no      demux0.3221225485
    fd01:1000:1000:1000::4       26:cc:e4:3c:00:00  reachable   0   no  no      demux0.3221225485
    
    root@vmx1> show configuration dynamic-profiles
    dv-profile {
        routing-instances {
            "$junos-routing-instance" {
                interface "$junos-interface-name";
            }
        }
        interfaces {
            demux0 {
                no-traps;
                interface-mib;
                unit "$junos-interface-unit" {
                    no-traps;
                    proxy-arp unrestricted;
                    vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                    demux-options {
                        underlying-interface "$junos-underlying-interface";
                    }
                    family inet {
                        unnumbered-address "$junos-loopback-interface";
                    }
                    family inet6 {
                        unnumbered-address "$junos-loopback-interface";
                    }
                }
            }
        }
        protocols {
            router-advertisement {
                interface "$junos-interface-name" {
                    max-advertisement-interval 900;
                    min-advertisement-interval 300;
                    managed-configuration;
                    other-stateful-configuration;
                }
            }
        }
    }
    l3-profile {
        predefined-variable-defaults {
            routing-instances SUBSCRIBERS;
        }
        routing-instances {
            "$junos-routing-instance" {
                interface "$junos-interface-name";
            }
        }
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-underlying-interface-unit" {
                    family inet {
                        unnumbered-address "$junos-loopback-interface";
                    }
                    family inet6 {
                        unnumbered-address "$junos-loopback-interface";
                    }
                }
            }
        }
    }
    
    root@vmx1> show configuration routing-instances
    SUBSCRIBERS {
        instance-type vrf;
        system {
            services {
                dhcp-local-server {
                    dhcpv6 {
                        group dhcpv6-ls {
                            authentication {
                                password password;
                                username-include {
                                    user-prefix dhcpv6;
                                }
                            }
                            dynamic-profile l3-profile;
                            overrides {
                                delegated-pool PREFIX-DELEGATION;
                            }
                            interface demux0.0;
                        }
                    }
                    pool-match-order {
                        external-authority;
                        ip-address-first;
                    }
                    group dhcp-ls {
                        authentication {
                            password password;
                            username-include {
                                user-prefix dhcpv4;
                            }
                        }
                        overrides {
                            client-discover-match incoming-interface;
                        }
                        dynamic-profile l3-profile;
                        interface demux0.0;
                    }
                }
            }
        }
        access {
            address-assignment {
                pool dhcpv4-pool {
                    family inet {
                        network 10.10.1.0/24;
                        range range1 {
                            low 10.10.1.2;
                            high 10.10.1.200;
                        }
                        dhcp-attributes {
                            maximum-lease-time 900;
                            server-identifier 10.10.1.1;
                            router {
                                10.10.1.1;
                            }
                            option 58 unsigned-integer 360;
                            option 59 unsigned-integer 600;
                        }
                    }
                }
                pool IA_NA {
                    family inet6 {
                        prefix fd01:1000:1000:1000::/64;
                        range V6-RANGE {
                            low fd01:1000:1000:1000::2/128;
                            high fd01:1000:1000:1000::ffff:ffff/128;
                        }
                        dhcp-attributes {
                            dns-server {
                                fd01:0090:0:aaaa:200:187:80:5;
                            }
                        }
                    }
                }
                pool PREFIX-DELEGATION {
                    family inet6 {
                        prefix fd02:01:aaaa::/48;
                        range PD prefix-length 64;
                        dhcp-attributes {
                            dns-server {
                                fd01:0090:0:aaaa:200:187:80:5;
                            }
                        }
                    }
                }
            }
        }
        access-profile aaa-profile;
        interface lo0.1;
        vrf-target target:1:1;
    }
    root@vmx1> show configuration access
    radius-server {
        10.1.6.30 secret "$9$iq5Fn6AOBEP5hrvM-dUji.fz9CuORS"; ## SECRET-DATA
    }
    profile aaa-profile {
        authentication-order radius;
        radius {
            authentication-server 10.1.6.30;
        }
    }
    domain {
        map default {
            aaa-routing-instance default;
        }
    }

    Corresponding RADIUS profiles:

    vlan    Cleartext-Password := "password"
            ERX-Virtual-Router-Name = "SUBSCRIBERS",
            Service-Type = Framed-User
    
    dhcpv4  Cleartext-Password := "password"
            ERX-Virtual-Router-Name = "SUBSCRIBERS",
            Service-Type = Framed-User
    
    dhcpv6  Cleartext-Password := "password"
            ERX-Virtual-Router-Name = "SUBSCRIBERS",
            Service-Type = Framed-User
    

     

    Best regards,

    Sergii



  • 13.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-04-2019 07:01

    Thanks for your post.

    I`m using single-session dual-stack and landing this subscriber inside one RI (SUBSCRIBERS).

    It works with configuration you posted above, but if you will have a look at show dynamic-profile client session-id, you will see configured unnumbered address NONE. That was the problem (or in case of junos it is not a problem - i dont know 🙂 )

    So i tried to make things right 🙂

    I made underlying interface to stay in default RI:

    Interface IP Address/VLAN ID User Name LS:RI
    demux0.3221225523 0x8100.4008 0x8100.3000 default:default

    And placed subscriber into RI:

    demux0.3221225524     10.200.72.154                           DS&ge-0/1/2:4008-3000       default:SUBSCRIBERS
    *                     2a00:f440:a:3::fbf
    *                     2a00:f440:a:8fbf::/64
    

     In this case i got right lo in dynamic-profile (in my case lo0.1) , ipv4 works fine, but ipv6 not working.



  • 14.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

     
    Posted 03-04-2019 08:24

    You're right, I also see this "unnumbered-interface NONE", however, I don't see any functional issues and subscribers are able to send and receive traffic without any issues. The provided configuration should be working except this cosmetic issue in the output of "show dynamic-profile session" - I'll check if this is a known issue and submit a new PR if needed.

     

    Are there any reasons why you want to use single-session dual-stack now (I think earlier you didn't want to use it)? This feature should also work - I'll try to check it tomorrow if I have time.



  • 15.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-04-2019 21:44

    To use single-session dual-stack i must upgrade my freeradius configuration to support both single-session and not single-session modes. After solving this issue i can  use single-session dual-stack without distrupting our production environment 🙂 


    @Sergii wrote:

    You're right, I also see this "unnumbered-interface NONE", however, I don't see any functional issues and subscribers are able to send and receive traffic without any issues. The provided configuration should be working except this cosmetic issue in the output of "show dynamic-profile session" - I'll check if this is a known issue and submit a new PR if needed.

     


    It would be great to know if its issue or not. 

     



  • 16.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

     
    Posted 03-06-2019 06:15

    Hi smelnik,

     

    Understood. The problem with "unnumbered-address NONE" in the output of "show dynamic-profile session" command is cosmetic - it was reported and fixed for PPP subscribers in PR1222975, but for DHCP subscribers the issue remained - and I created a new PR1421894 to get it fixed (it may take a while to get it resolved as there is no impact).

     

    Best regards,

    Sergii



  • 17.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

     
    Posted 03-07-2019 02:38

    Hi smelnik,

     

    Hopefully authentication for dual-stack subscribers in RI (not a single-session dual-stack) is working in your lab now. For the sake of clarity I'd like to suggest creating a new thread for the problem you mentioned with single-session dual-stack (please attach relevant pieces of configuration).


    @smelnik wrote:

    I made underlying interface to stay in default RI:

    Interface IP Address/VLAN ID User Name LS:RI
    demux0.3221225523 0x8100.4008 0x8100.3000 default:default

    And placed subscriber into RI:

    demux0.3221225524     10.200.72.154                           DS&ge-0/1/2:4008-3000       default:SUBSCRIBERS
    *                     2a00:f440:a:3::fbf
    *                     2a00:f440:a:8fbf::/64
    

     In this case i got right lo in dynamic-profile (in my case lo0.1) , ipv4 works fine, but ipv6 not working.


     

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Wink

    -------------------------------------------------------------------

     



  • 18.  RE: Authenticating dual-stacked subscribers in routing instance (non single-session dual-stack)

    Posted 03-07-2019 09:52

    Hello Sergii.

    Thank you very much 🙂 I will create new thread.

    Yes, now everything is working fine in my lab with using single demux interface.