Junos OS

Good day, need help, the my config, not works firewal for dhcp users, for PPPoE users works fine.   (Juniper MX80)

set dynamic-profiles svc-global-inet variables SPEED_IN default-value 100m
set dynamic-profiles svc-global-inet variables SPEED_OUT default-value 100m
set dynamic-profiles svc-global-inet variables POLICER_IN uid
set dynamic-profiles svc-global-inet variables POLICER_OUT uid
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input "$SPEED_IN"
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input precedence 50
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter output "$SPEED_OUT"
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter output precedence 50
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" interface-specific
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then policer "$POLICER_IN"
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then service-accounting
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then accept
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" interface-specific
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then policer "$POLICER_OUT"
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then service-accounting
set dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then accept
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" filter-specific
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" logical-interface-policer
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" if-exceeding bandwidth-limit "$SPEED_IN"
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" if-exceeding burst-size-limit 512k
set dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" then discard
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" filter-specific
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" logical-interface-policer
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" if-exceeding bandwidth-limit "$SPEED_OUT"
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" if-exceeding burst-size-limit 512k
set dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" then discard
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address
set dynamic-profiles CLIENTS-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-source inet
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" vlan-id "$junos-vlan-id"
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles VLAN-IPoE interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0

For PPPoE user this works fine

dolp@RGW# run show subscribers extensive user-name user2383
Type: PPPoE
User Name: client2383
IP Address: 92.*.*.*
IP Netmask: 255.255.255.0
Primary DNS Address: 8.8.8.8
Secondary DNS Address: 8.8.4.4
Logical System: default
Routing Instance: default
Interface: pp0.1073966950
Interface type: Dynamic
Underlying Interface: demux0.1073931766
Dynamic Profile Name: ppp-profile
Dynamic Profile Version: 1
MAC Address: d4:ca:6d:60:77:cf
State: Active
Radius Accounting ID: 38987970
Session ID: 38987970
VLAN Id: 3242
Login Time: 2018-03-15 04:21:44 GMT-3
Service Sessions: 1
IP Address Pool: Static-POOL1

   Service Session ID: 38990501
   Service Session Name: svc-global-inet
   Service Session Version: 2
   State: Active
   Family: inet
   IPv4 Input Filter Name: 10m-pp0.1073966950-in
   IPv4 Output Filter Name: 10m-pp0.1073966950-out

Here we have 10 mbit/sec on user interface (PPPoE)
 For dhcp users it not works

Type: DHCP
User Name: OPT82NOIP.000403E60001.000678542E12C3A1
IP Address: 92.*.*.*
IP Netmask: 255.255.254.0
Primary DNS Address: 8.8.8.8
Secondary DNS Address: 8.8.4.4
Logical System: default
Routing Instance: default
Interface: demux0.1073914899
Interface type: Dynamic
Underlying Interface: xe-0/0/1.1073757248
Dynamic Profile Name: CLIENTS-IPoE
Dynamic Profile Version: 1
MAC Address: 18:a6:f7:e9:9d:db
State: Active
Radius Accounting ID: 39032423
Session ID: 39032423
VLAN Id: 998
Agent Circuit ID: len 6
00 04 03 e6 00 01
Agent Remote ID: len 8
00 06 78 54 2e 12 c3 a1
Login Time: 2018-03-16 14:14:00 GMT-3
Service Sessions: 1
DHCP Options: len 84
35 01 01 39 02 04 00 3d 07 01 18 a6 f7 e9 9d db 0c 11 54 4c
2d 57 52 38 34 31 4e 5f 57 52 38 34 31 4e 44 3c 08 4d 53 46
54 20 35 2e 30 32 04 5c 26 7c 15 37 0b 01 03 06 0f 21 2b 2c
2e 2f 79 f9 52 12 01 06 00 04 03 e6 00 01 02 08 00 06 78 54
2e 12 c3 a1
IP Address Pool: Static-POOL2

   Service Session ID: 39032424
   Service Session Name: svc-global-inet
   Service Session Version: 2
   State: Active
   Family: inet
   IPv4 Input Filter Name: 10m-xe-0/0/1.1073914899-in
   IPv4 Output Filter Name: 10m-xe-0/0/1.1073914899-out

Not wrks filter on user interface xe-0/0/1.1073914899

I understand that I can use another dynamic profile for dhcp, but unfortunately I need use the same dynamic profile for PPPoE and DHCP users. Need help.
Thanks.

Could you show me your interface config?

Is DHCP subscriber able to come up but service-profile is being applied correct?

Is this service getting applied via radius return attributes ?

If yes, could you list the return VSA from radius in radius-access-accept?

Have you tried to manually apply the service as follows:

request network-access aaa subscriber add service-profile svc-global-inet session-id xxxx

 run request network-access aaa subscriber add service-profile svc-global-inet session-id 39032423
Successful completion
.......
IP Address Pool: Static-POOL2

   Service Session ID: 39080732
   Service Session Name: svc-global-inet
   Service Session Version: 2
   State: Active
   Family: inet
   IPv4 Input Filter Name: 100m-xe-0/0/1.1073914899-in
   IPv4 Output Filter Name: 100m-xe-0/0/1.1073914899-out

Applied correct, I think I need to apply the profile on Interface: demux0.1073914899 , but how to make it I dont know.
Radius send correct parameter
ERX-Service-Activate:1 += "svc-global-inet(10m,10m)"

I expect if to change 

set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input "$SPEED_IN"
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input precedence 50
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter output "$SPEED_OUT"
set dynamic-profiles svc-global-inet interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter output precedence 50

to

set dynamic-profiles svc-global-inet interfaces demux0 unit "$junos-interface-unit" family inet filter input "$SPEED_IN"
set dynamic-profiles svc-global-inet interfaces demux0 unit "$junos-interface-unit" family inet filter input precedence 50
set dynamic-profiles svc-global-inet interfaces demux0 unit "$junos-interface-unit" family inet filter output "$SPEED_OUT"
set dynamic-profiles svc-global-inet interfaces demux0 unit "$junos-interface-unit" family inet filter output precedence 50

It will be correct work, but I am not sure that it will work for PPPoE users (((

I tested with both, PPPoE and DHCP, it works fine.

Could you test with change and report back.

labroot@re0# run show log authd | match Tag
Mar 20 20:21:03.854881 radius-access-accept: Activate-Service (Juniper-ERX-VSA) received: Tag (1) svc-global-inet

Type: PPPoE
User Name: karand@jnpr.net
IP Address: 10.100.0.16
IP Netmask: 255.255.255.255
Domain name server inet: 10.1.2.3 10.1.2.3
Logical System: default
Routing Instance: default
Interface: pp0.3221225507
Interface type: Dynamic
Underlying Interface: xe-2/2/1.3221225506
Dynamic Profile Name: PPPoE-Profile
Dynamic Profile Version: 1
MAC Address: 26:b2:b3:b4:00:00
State: Active
Radius Accounting ID: 101
Session ID: 101
PFE Flow ID: 62
VLAN Id: 100
Login Time: 2018-03-20 20:21:03 IST
Service Sessions: 1
IP Address Pool: dhcpv4
IPv4 Input Filter Name: default-input-pp0.3221225507-in
IPv4 Output Filter Name: default-output-pp0.3221225507-out

   Service Session ID: 102
   Service Session Name: svc-global-inet
   Service Session Version: 1
   State: Active
   Family: inet
   IPv4 Input Filter Name: 100m-pp0.3221225507-in
   IPv4 Output Filter Name: 100m-pp0.3221225507-out
   Service Activation time: 2018-03-20 20:21:04 IST
   Dynamic configuration:
     POLICER_IN: POLICER_IN_UID1218
     POLICER_OUT: POLICER_OUT_UID1219
     SPEED_IN: 100m
     SPEED_OUT: 100m

DHCP:

User Name: karand@jnpr.net.xe-2/0/1:100-200
Domain name server inet: 10.1.2.3 10.1.2.3
Logical System: default
Routing Instance: default
Interface: demux0.3221225498
Interface type: Dynamic
Underlying Interface: xe-2/0/1
Dynamic Profile Name: BROADXXX
Dynamic Profile Version: 1
State: Active
Radius Accounting ID: 86
Session ID: 86
PFE Flow ID: 38
Stacked VLAN Id: 0x8100.100
VLAN Id: 0x8100.200
Login Time: 2018-03-20 20:00:24 IST
Service Sessions: 3
IPv4 Input Filter Name: XXXX-demux0.3221225498-in
IPv4 Output Filter Name: XXXXX-demux0.3221225498-out
Dynamic configuration:
  junos-cos-guaranteed-rate: 2378k
      junos-cos-scheduler: XXX-EF
          junos-cos-scheduler-tx: 10
          junos-cos-scheduler-bs: 6000
      junos-cos-scheduler: XXX-AF
          junos-cos-scheduler-tx: 25
          junos-cos-scheduler-bs: 7500
      junos-cos-scheduler: XX-BE
          junos-cos-scheduler-tx: 40
          junos-cos-scheduler-bs: 37500
      junos-cos-scheduler: XXX-XX
          junos-cos-scheduler-tx: 25
          junos-cos-scheduler-bs: 60000
  junos-cos-scheduler-map: XXX_UID1208
  junos-cos-shaping-rate: 20m
  junos-input-filter: XXX-10-25-25-20m-In
  junos-output-filter: XXX-10-25-25-20m-Out

   Service Session ID: 87
   Service Session Name: XXX-IN
   Service Session Version: 1
   State: Active
   Family: inet, inet6
   IPv4 Input Filter Name: XXXX-IN-demux0.3221225498-in
   Service Activation time: 2018-03-20 20:00:25 IST

   Service Session ID: 88
   Service Session Name: XXX-OUT
   Service Session Version: 1
   State: Active
   Family: inet, inet6
   IPv4 Output Filter Name: XXX-OUT-demux0.3221225498-out
   Service Activation time: 2018-03-20 20:00:25 IST

   Service Session ID: 89
   Service Session Name: svc-global-inet
   Service Session Version: 1
   State: Active
   Family: inet, inet6
   IPv4 Input Filter Name: 100m-demux0.3221225498-in
   IPv4 Output Filter Name: 100m-demux0.3221225498-out
   Service Activation time: 2018-03-20 20:00:25 IST
   Dynamic configuration:
     POLICER_IN: POLICER_IN_UID1210
     POLICER_OUT: POLICER_OUT_UID1211
     SPEED_IN: 100m
     SPEED_OUT: 100m

labroot@re0# show dynamic-profiles svc-global-inet | display set
set  dynamic-profiles svc-global-inet variables SPEED_IN default-value 100m
set  dynamic-profiles svc-global-inet variables SPEED_OUT default-value 100m
set  dynamic-profiles svc-global-inet variables POLICER_IN uid
set  dynamic-profiles svc-global-inet variables POLICER_OUT uid
set  dynamic-profiles svc-global-inet interfaces demux0 unit "$junos-interface-unit" family inet filter input "$SPEED_IN"
set  dynamic-profiles svc-global-inet interfaces demux0 unit "$junos-interface-unit" family inet filter input precedence 50
set  dynamic-profiles svc-global-inet interfaces demux0 unit "$junos-interface-unit" family inet filter output "$SPEED_OUT"
set  dynamic-profiles svc-global-inet interfaces demux0 unit "$junos-interface-unit" family inet filter output precedence 50
set  dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" interface-specific
set  dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then policer "$POLICER_IN"
set  dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then service-accounting
set  dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_IN" term default then accept
set  dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" interface-specific
set  dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then policer "$POLICER_OUT"
set  dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then service-accounting
set  dynamic-profiles svc-global-inet firewall family inet filter "$SPEED_OUT" term default then accept
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" filter-specific
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" logical-interface-policer
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" if-exceeding bandwidth-limit "$SPEED_IN"
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" if-exceeding burst-size-limit 512k
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_IN" then discard
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" filter-specific
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" logical-interface-policer
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" if-exceeding bandwidth-limit "$SPEED_OUT"
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" if-exceeding burst-size-limit 512k
set  dynamic-profiles svc-global-inet firewall policer "$POLICER_OUT" then discard

yes, as I said before it applied but the speed is going as default switch port 10-1000 mbit
The solution what I found fom me

change

set system services dhcp-local-server group IPoE interface xe-0/0/1.0

to

set system services dhcp-local-server group IPoE interface demux0.0

now it works fine

Type: DHCP
User Name: OPT82NOIP.000403E50004.0006F8E903E6DA18
IP Address: 92.*.*.*
IP Netmask: 255.255.255.0
Primary DNS Address: 8.8.8.8
Secondary DNS Address: 8.8.4.4
Logical System: default
Routing Instance: default
Interface: demux0.1073814302
Interface type: Dynamic
Underlying Interface: demux0.1073862815
Dynamic Profile Name: CLIENTS-IPoE
Dynamic Profile Version: 1
MAC Address: 10:bf:48:c9:0f:21
State: Active
Radius Accounting ID: 39089350
Session ID: 39089350
VLAN Id: 997
Agent Circuit ID: len 6
00 04 03 e5 00 04
Agent Remote ID: len 8
00 06 f8 e9 03 e6 da 18
Login Time: 2018-03-21 07:18:18 GMT-3
Service Sessions: 1
DHCP Options: len 62
35 01 01 3d 07 01 10 bf 48 c9 0f 21 3c 0f 75 64 68 63 70 20
30 2e 39 2e 39 2d 70 72 65 37 0b 01 03 06 0c 0f 1c 2c 2e 2f
21 f9 52 12 01 06 00 04 03 e5 00 04 02 08 00 06 f8 e9 03 e6
da 18
IP Address Pool: Static-POOL1

   Service Session ID: 39089351
   Service Session Name: svc-global-inet
   Service Session Version: 4
   State: Active
   Family: inet
   IPv4 Input Filter Name: 10m-demux0.1073814302-in
   IPv4 Output Filter Name: 10m-demux0.1073814302-out

Now speed for dhcp user is 10 mbit

Thanks for helping.