Junos OS

Dear Junos Experts,

 

I am testing the Subscriber Management on vMX, and I require to use a different Radius Server ONLY for the COA messages, so not for authentication. That is, the MX must not send authentication messages to it, but only receive COA. Is there a way to get behaviour in Junos?

 

Thanks in advance,

 

Nicola

Hi ,

You may set the authentication to none for AAA

set access profile RADIUS authentication-order none

Thank you
Prabin

Hi,

 

You only need to define the COA client with the secret under radius-server stanza. The rest of configuration for AAA can stay the same.

Sample config:

radius-server {
    /* Radius AAA */
    192.168.0.11 {
        secret "$9$O5jLRyKXxdsYoX7wg4aHktu01cyKM8"; ## SECRET-DATA
        source-address 172.16.2.1;
    }
    /* RADIUS COA Only */
    192.168.1.58 {
        secret "$9$IaXceWN-wg4ZNd2aJG.m0B1EreWLx"; ## SECRET-DATA
        source-address 192.168.1.108;
    }
}
profile RADIUS {
    accounting-order radius;
    authentication-order radius;
    radius {
        authentication-server 192.168.0.11;
        accounting-server 192.168.0.11;
    }
}

Example of COA:

$ echo "User-name=user@test.net,NAS-IP-Address=172.16.2.1,Acct-Session-Id=171,Framed-Route='10.10.10.10/32 0.0.0.0'" | /usr/bin/radclient -x 192.168.1.108:3799 coa test123
Sending CoA-Request of id 202 to 192.168.1.108 port 3799
	User-Name = "user@test.net"
	NAS-IP-Address = 172.16.2.1
	Acct-Session-Id = "171"
	Framed-Route = "10.10.10.10/32 0.0.0.0"
rad_recv: CoA-ACK packet from host 192.168.1.108 port 3799, id=202, length=20

Hope this helps.

 

Ashvin

Thanks a lot! Your explanation is very clear and useful!

 

Have a nice day,

 

Nicola