Junos OS

Expand all | Collapse all

PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

  • 1.  PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

    Posted 08-16-2018 10:35

    Hi everyone,

     

    I am having a big trouble trying to configure a MX80 router as a PPPoE server. I'm trying to configure it to receive shaper values from radius attributes, but it is not working correctly, I think I am missing something:

     

    Aug 16 14:21:31.849269 UserAccess:planoteste session-id:3204 state:log-out 4%xe-2/0/1.1000:1000 reason: ppp subscriber-mgr-activation-failed

     

    Here is my configuration:

     

    version 15.1R6.7;

    dynamic-profiles {

        PPPoE-Profile {

            routing-instances {

                "$junos-routing-instance" {

                    interface "$junos-interface-name";

                    routing-options {

                        access {

                            route $junos-framed-route-ip-address-prefix {

                                next-hop "$junos-framed-route-nexthop";

                                metric "$junos-framed-route-cost";

                                preference "$junos-framed-route-distance";

                                tag "$junos-framed-route-tag";

                            }

                        }

                        access-internal {

                            route $junos-subscriber-ip-address {

                                qualified-next-hop "$junos-interface-name";

                            }

                        }

                    }

                }

            }

            interfaces {

                "$junos-interface-ifd-name" {

                    unit "$junos-interface-unit" {

                        no-traps;

                        ppp-options {

                            chap;

                            pap;

                            mtu 1480;

                        }

                        pppoe-options {

                            underlying-interface "$junos-underlying-interface";

                            server;

                        }

                        keepalives interval 30;

                        family inet {

                            unnumbered-address "$junos-loopback-interface";

                        }

                    }

                }

            }

        }

        PPPoE-Rate-Limit {

            variables {

                up-rate {

                    default-value 32k;

                    mandatory;

                }

                down-rate {

                    default-value 32k;

                    mandatory;

                }

                filter-up uid;

                filter-down uid;

                shaper-up uid;

                shaper-down uid;

            }

            interfaces {

                "$junos-interface-ifd-name" {

                    unit "$junos-interface-unit" {

                        family inet {

                            filter {

                                input "$filter-up";

                                output "$filter-down";

                            }

                        }

                    }

                }

            }

            firewall {

                family inet {

                    filter "$filter-up" {

                        interface-specific;

                        term accept {

                            then {

                                policer "$shaper-up";

                                service-filter-hit;

                                accept;

                            }

                        }

                    }

                    filter "$filter-down" {

                        interface-specific;

                        term accept {

                            then {

                                policer "$shaper-down";

                                service-filter-hit;

                                accept;

                            }

                        }

                    }

                }

                policer "$shaper-up" {

                    filter-specific;

                    logical-interface-policer;

                    if-exceeding {

                        bandwidth-limit "$up-rate";

                        burst-size-limit 1024000000;

                    }

                    then discard;

                }

                policer "$shaper-down" {

                    filter-specific;

                    logical-interface-policer;

                    if-exceeding {

                        bandwidth-limit "$down-rate";

                        burst-size-limit 1024000000;

                    }

                    then discard;

                }

            }

        }

    }

    system {

        host-name BRAS-SDT-01;

        time-zone America/Sao_Paulo;

        no-multicast-echo;

        no-redirects;

        no-ping-record-route;

        no-ping-time-stamp;

        internet-options {

            inactive: icmpv4-rate-limit packet-rate 10;

            path-mtu-discovery;

            tcp-drop-synfin-set;

            ipv6-path-mtu-discovery;

            no-tcp-reset drop-all-tcp;

        }

        root-authentication {

            encrypted-password "$5$hy7U0vlP$QVeRDU.QYm7vE4gK6CVqK6tqcU4NDAh1OeIG71w64I5"; ## SECRET-DATA

        }

        name-server {

            A.B.C.D;

        }

        dynamic-profile-options {

            versioning;

        }

        radius-options {

            attributes {

                nas-ip-address 10.20.1.114;

            }

        }

        login {

            user teste {

                uid 2010;

                class super-user;

                authentication {

                    encrypted-password "$5$lnXHStnE$UUsB1v4ePNe2a4HB9ajIl1B1qLfEJN5IRXV3EztE0CC"; ## SECRET-DATA

                }

            }

        }

        services {

            ssh {

                protocol-version v2;

            }

            telnet;

            subscriber-management {

                enable;

            }

        }

        syslog {

            user * {

                any emergency;

            }

            file messages {

                any notice;

                authorization info;

            }

            file interactive-commands {

                interactive-commands any;

            }

        }

        configuration-database {

            max-db-size 104857600;

        }

        processes {

            general-authentication-service {

                traceoptions {

                    file auth-geral.log size 10m files 4 world-readable;

                    flag address-assignment;

                    flag user-access;

                    flag radius;

                    inactive: flag session-db;

                    inactive: flag profile-db;

                    flag all;

                }

            }

        }

    }

    chassis {

        network-services enhanced-ip;

    }

    access-profile PPPoE-Access-Profile;

    interfaces {

        xe-2/0/0 {

            unit 0 {

                family inet {

                    address 10.20.1.114/24;

                }

            }

        }

        xe-2/0/1 {

            vlan-tagging;

            unit 1000 {

                encapsulation ppp-over-ether;

                vlan-id 1000;

                pppoe-underlying-options {

                    access-concentrator TESTE_NAS;

                    duplicate-protection;

                    dynamic-profile PPPoE-Profile;

                    service-name-table PPPoE-Table;

                }

            }

        }

        fxp0 {

            unit 0 {

                family inet;

            }

        }

    }

    routing-options {

        static {

            route 0.0.0.0/0 next-hop 10.20.1.1;

        }

    }

    protocols {

        ppp-service {

            traceoptions {

                file ppps.log size 10m world-readable;

                level all;

                flag all;

            }

        }

        ppp {

            traceoptions {

                file ppp.log size 10m files 8 world-readable;

                level all;

                flag all;

            }

        }

        pppoe {

            traceoptions {

                file pppoe.log size 10m files 8 world-readable;

                level all;

                flag all;

            }

            service-name-tables PPPoE-Table {

                service any {

                    terminate;

                }

                service empty {

                    terminate;

                }

            }

        }

    }

    access {

        radius-server {

           A.B.C.D {

                port 1812;

                accounting-port 1813;

                secret "$9$tiavu1hLX-dwgM8aUji.muOBIyl"; ## SECRET-DATA

                timeout 40;

                retry 3;

                accounting-timeout 20;

                accounting-retry 6;

            }

        }

        radius-disconnect-port 3799;

        radius-disconnect {

            189.90.192.16 secret "$9$nysU/tOeK8L7Vyls4aJDj/CApIE"; ## SECRET-DATA

        }

        profile PPPoE-Access-Profile {

            accounting-order radius;

            authentication-order radius;

            domain-name-server-inet {

                A.B.C.D;

                A.B.C.D;

            }

            radius {

                authentication-server A.B.C.D;

                accounting-server A.B.C.D;

                options {

                    nas-identifier 4;

                    nas-port-id-delimiter "%";

                    nas-port-id-format {

                        nas-identifier;

                        interface-description;

                    }

                    nas-port-type {

                        ethernet ethernet;

                    }

                    calling-station-id-delimiter :;

                    calling-station-id-format {

                        mac-address;

                    }

                    accounting-session-id-format decimal;

                    client-authentication-algorithm direct;

                    client-accounting-algorithm direct;

                    service-activation {

                        dynamic-profile required-at-login;

                    }

                }

            }

            accounting {

                order radius;

                accounting-stop-on-failure;

                accounting-stop-on-access-deny;

                coa-immediate-update;

                update-interval 10;

                statistics volume-time;

                wait-for-acct-on-ack;

                send-acct-status-on-config-change;

            }

        }

        domain {

            map DEFAULT {

                access-profile PPPoE-Access-Profile;

            }

        }

        radius-options {

            unique-nas-port {

                chassis-id 1;

                chassis-id-width 7;

            }

        }

    }

     

    My freeradius is sending this reply attribute:

     

    Radius service activate attribute is being sent with this value: PPPoE-Rate-Limit(5120k,10240k)

     

    Can someone help me with this.

     

    Thanks.



  • 2.  RE: PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

     
    Posted 08-16-2018 18:00

    Hi,

     

    Could you share the exact set of VSA your're returning from Radius Server? You can get from the authd logs.

    Also, have you tried to manually activate the service to validate you config?

     

    > request network-access aaa subscriber add session-id <inputSubscriberSessionIdHere> service-profile PPPoE-Rate-Limit

     

     



  • 3.  RE: PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

     
    Posted 08-16-2018 20:04

    I tried your config and ran into the same issue.

     

    re0# run show log authd | match fail
    Aug 17 08:16:04.434643 dynamicRequestDecode: Activation Failure (denied) of service required-at-login: service-name "PPPoE-Rate-Limit(5120k,10240k)"
    Aug 17 08:16:04.434655 setDynamicProfileUpdateFailCause: dynamicProfileUpdateResult 5
    Aug 17 08:16:04.434665 setDynamicProfileUpdateErrorMsg: dynamicProfileUpdateErrorMsg: 122 Execution failure
    Aug 17 08:16:04.434780 SEQ SendClientMsg:jpppd-client session-id:12150 reply-code=2 (FAIL), result-subopcode=39 (CONFIG_ERROR), cookie=17, ex_cookie=67, rply_len=4480, num_tlv_blocks=2
    Aug 17 08:16:04.436685 dynamicRequestDecode: Activation Failure (denied) of service required-at-login: service-name "PPPoE-Rate-Limit(5120k,10240k)"
    Aug 17 08:16:04.436696 setDynamicProfileUpdateFailCause: dynamicProfileUpdateResult 5
    Aug 17 08:16:04.436706 setDynamicProfileUpdateErrorMsg: dynamicProfileUpdateErrorMsg: 122 Execution failure
    Aug 17 08:16:04.436814 SEQ SendClientMsg:jpppd-client session-id:12151 reply-code=2 (FAIL), result-subopcode=39 (CONFIG_ERROR), cookie=18, ex_cookie=67, rply_len=4480, num_tlv_blocks=2

     

    -> To fix this, remove any quote if any and add a space between the profile name and ratelimit value.

     

    Problem Condition:

     

    Aug 17 08:16:04.435080 radius-access-accept: Activate-Service (Juniper-ERX-VSA) received: Tag (1) "PPPoE-Rate-Limit(5120k,10240k)"

    Aug 17 08:16:04.436630 ServiceActivate: request="PPPoE-Rate-Limit(5120k,10240k)", serviceName="PPPoE-Rate-Limit, serviceString="PPPoE-Rate-Limit(5120k,10240k)"

     

    Working Condition: It should be like this:

     

    Aug 17 08:18:31.531866 radius-access-accept: Activate-Service (Juniper-ERX-VSA) received: Tag (1) PPPoE-Rate-Limit (5120k,10240k)

    Aug 17 08:18:31.535297 ServiceActivate: request=PPPoE-Rate-Limit (5120k,10240k), serviceName=PPPoE-Rate-Limit, serviceString=PPPoE-Rate-Limit(5120k,10240k)
    Aug 17 08:18:31.535309 ServiceActivate::validateRequest
    Aug 17 08:18:31.535348 ServiceAtLoginRequest::validateRequest
    Aug 17 08:18:31.829103 ServiceActivate: request=PPPoE-Rate-Limit, serviceName=PPPoE-Rate-Limit, serviceString=PPPoE-Rate-Limit

     

    -> I hope you're returning this VSA from Radius to Activate the service is:

    Unisphere-Service-Activate-tag1

     

    -> String Value Returning from Radius:

    PPPoE-Rate-Limit (5120k,10240k)

     

     Here is my test output using your configuration:

     

    re0# run show subscribers extensive
    Type: VLAN
    Logical System: default
    Routing Instance: default
    Interface: demux0.3221226163
    Interface type: Dynamic
    Underlying Interface: ae22
    Dynamic Profile Name: VLAN
    Dynamic Profile Version: 1
    State: Active
    Session ID: 12152
    PFE Flow ID: 764
    VLAN Id: 2000
    Login Time: 2018-08-17 08:18:31 IST

    Type: PPPoE
    User Name: karand-pppoe@jnpr.net
    IP Address: 10.100.0.7
    IP Netmask: 255.255.255.255
    Domain name server inet: 10.1.2.3 10.1.2.3
    Logical System: default
    Routing Instance: default
    Interface: pp0.3221226164
    Interface type: Dynamic
    Underlying Interface: demux0.3221226163
    Dynamic Profile Name: PPPoE-Profile
    Dynamic Profile Version: 1
    MAC Address: 00:11:01:00:00:01
    State: Active
    Radius Accounting ID: 12153
    Session ID: 12153
    PFE Flow ID: 766
    VLAN Id: 2000
    Login Time: 2018-08-17 08:18:31 IST
    Service Sessions: 1
    IP Address Pool: dhcpv4

       Service Session ID: 12155
       Service Session Name: PPPoE-Rate-Limit
       Service Session Version: 1
       State: Active
       Family: inet
       IPv4 Input Filter Name: filter-up_UID1005-pp0.3221226164-in
       IPv4 Output Filter Name: filter-down_UID1007-pp0.3221226164-out
       Service Activation time: 2018-08-17 08:18:31 IST
       Dynamic configuration:
         down-rate: 10240k
         filter-down: filter-down_UID1007
         filter-up: filter-up_UID1005
         shaper-down: shaper-down_UID1006
         shaper-up: shaper-up_UID1004
         up-rate: 5120k

     

     

    To check dynamic-profile PPPoE-Rate-Limit service attached to subscriber interface, use this command:

     

    re0# run show dynamic-profile session client-id 12153
    PPPoE-Profile {
        routing-instances {
            default {
                interface pp0.3221226164;
            }
        }
        interfaces {
            pp0 {
                unit 3221226164 {
                    ppp-options {
                        chap;
                        pap;
                        authentication chap;
                        authentication pap;
                    }
                    pppoe-options {
                        underlying-interface demux0.3221226163;
                        server;
                    }
                    family {
                        inet {
                            unnumbered-address lo0.0;
                        }
                    }
                }
            }
        }
    }
    PPPoE-Rate-Limit {
        interfaces {
            pp0 {
                unit 3221226164 {
                    family {
                        inet {
                            filter {
                                input filter-up_UID1005;
                                output filter-down_UID1007;
                            }
                        }
                    }
                }
            }
        }
        firewall {
            family {
                inet {
                    filter filter-up_UID1005 {
                        interface-specific;
                        term accept {
                            then {
                                policer shaper-up_UID1004;
                                service-filter-hit;
                                accept;
                            }
                        }
                    }
                    filter filter-down_UID1007 {
                        interface-specific;
                        term accept {
                            then {
                                policer shaper-down_UID1006;
                                service-filter-hit;
                                accept;
                            }
                        }
                    }
                }
            }
            policer shaper-up_UID1004 {
                filter-specific;
                logical-interface-policer;
                if-exceeding {
                    bandwidth-limit 5120k;
                    burst-size-limit 1024000000;
                }
                then discard;
            }
            policer shaper-down_UID1006 {
                filter-specific;
                logical-interface-policer;
                if-exceeding {
                    bandwidth-limit 10240k;
                    burst-size-limit 1024000000;
                }
                then discard;
            }
        }
    }

     

    Let me know if you have any doubts.

     



  • 4.  RE: PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

    Posted 08-20-2018 04:44

    Hi everyone,

     

    Thanks a lot for your support. In my case, the problem was a missing IP address in the lo0 interface. As there is a reference to $junos-loopback-interface as the unnumbered address, the IPCP protocol was failing:

     

    lo0 {

        unit 0 {

            family inet {

                address 172.31.100.100/32;

            }

        }

    }

     

    Just added this to the config and it worked.