Junos OS

 View Only
last person joined: 7 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Use of VSA 26-64 | Tunnel-Group

    Posted 05-12-2020 05:11

    Hello,

     

    We are interested in using the LAC-LNS setup with a customer of ours.

    This setup will be used with xDSL circuits.

    I'm aware that you can configure an access domain map which matches the domain part in the AAA service request, like @example.com.

     

    Now, with xDSL it's possible to have the client send an ADSL Agent Remote Id.

    The content of that attribute can be matched on records in our FreeRADIUS database and send IP address information back to the access concentrator.

    What we want is to match the content of the ADSL Agent Remote Id attribute to a domain map or L2TP tunnel group.

    Meaning that when the customer fills in 'admin' 'admin' as the username and password when dialing PPPoE (something other than the correct credentials, or no credentials at all), the request gets fowarded to the remote LNS.

     

    How would something like this be done?

     

    Beelze

     



  • 2.  RE: Use of VSA 26-64 | Tunnel-Group
    Best Answer

     
    Posted 05-12-2020 05:24

    Hi Beelze,

     

    You don't need this VSA. Basically, you can return all attributes pertaining to the tunnel(s) in the Access-Accept (if your box is LAC):

    user Cleartext-Password := password (or based on Agent Remote Id, etc.)
   Service-Type = Framed-User,
   Tunnel-Client-Endpoint:1 += 10.120.230.100,
   Tunnel-Server-Endpoint:1 += 10.120.230.1,
   Tunnel-Type:1 += l2tp,
   Tunnel-Medium-Type:1 += IP,
   Tunnel-Client-Endpoint:2 += 10.120.230.100,
   Tunnel-Server-Endpoint:2 += 10.120.230.2,
   Tunnel-Type:2 += l2tp,
   Tunnel-Medium-Type:2 += IP

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 3.  RE: Use of VSA 26-64 | Tunnel-Group

    Posted 05-13-2020 01:17

    Hi Sergii,

     

    Yes, our box will the LAC, just forwarding access request packets.

    Remote LNS is in customer domain, ultimately handling the request.

    Customer will also terminate the subscribers.

     

    I just got a couple of questions, if I may 🙂

    • I assume that the output you show is something that is done in the FreeRADIUS server, am I correct? So, an Access-Request packet enters our Radius Server where we match on the Agent Remote Id and add some Tunnel Profile attribute to be returned to our LAC box?
    • And am I also correct that domain mapping is not required anymore? Since we do not match on the subscribers domain part in the username?
    • Does a Tunnel Profile still need to be configured? Am I correct to say that only one L2TP tunnel is created and that first and subsequent requests will all be forwarded to the remote LNS?

    Beelze

     



  • 4.  RE: Use of VSA 26-64 | Tunnel-Group

     
    Posted 05-13-2020 01:34

    Hi Beelze,

     

    Answering your questions - yes, the profile I provided above is a subscriber profile configured on FreeRadius. An excerpt from your link:

    RADIUS attributes and VSAs can override the values you configured by a tunnel profile in a domain map. In the absence of a domain map, RADIUS can supply all the characteristics of a tunnel. The steps in the following procedure list the corresponding standard RADIUS attribute or VSA that you can configure on your RADIUS server to modify or configure the tunnel profile.

    Essentially it means that no additional configuration is needed on LAC - all tunnel attributes can be sourced from Radius in the Access-Accept for the particular user that will be tunneled to LNS.

    Regarding number of L2TP tunnels you may want to provide some level of redundancy (just in case one of LNSs fails), so it's better to return at least two destinations for a tunneled subscriber. I'm not 100% sure, but I think by default the same L2TP tunnel is used for the subsequent subscribers tunneled to the same destination (if not, you'll need to add exactly the same tunnel-assignment-id to the subscriber profile to force usage of the same tunnel).

     

    HTH

     

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved Smiley Happy

    -------------------------------------------------------------------



  • 5.  RE: Use of VSA 26-64 | Tunnel-Group

    Posted 05-13-2020 02:23

    Hi Sergii,

     

    Thank you very much!

    I have accepted your first response as the solution, even though I haven't tried anything yet.

    This is just the push in the right direction I needed 🙂

     

    Beelze



  • 6.  RE: Use of VSA 26-64 | Tunnel-Group

     
    Posted 05-13-2020 02:31

    Hi Beelze,

     

    Awesome, thank you! I'm glad I could help, please feel free to update this thread or create a new topic should you require any further assistance during your tests.

     

    Best regards,

    Sergii

    -------------------------------------------------------------------

    Please accept the solution if your problem is resolved

    -------------------------------------------------------------------