Junos OS

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

    Posted 08-16-2018 10:35

    Hi everyone,

     

    I am having a big trouble trying to configure a MX80 router as a PPPoE server. I'm trying to configure it to receive shaper values from radius attributes, but it is not working correctly, I think I am missing something:

     

    Aug 16 14:21:31.849269 UserAccess:planoteste session-id:3204 state:log-out 4%xe-2/0/1.1000:1000 reason: ppp subscriber-mgr-activation-failed

     

    Here is my configuration:

     

    version 15.1R6.7;

    dynamic-profiles {

        PPPoE-Profile {

            routing-instances {

                "$junos-routing-instance" {

                    interface "$junos-interface-name";

                    routing-options {

                        access {

                            route $junos-framed-route-ip-address-prefix {

                                next-hop "$junos-framed-route-nexthop";

                                metric "$junos-framed-route-cost";

                                preference "$junos-framed-route-distance";

                                tag "$junos-framed-route-tag";

                            }

                        }

                        access-internal {

                            route $junos-subscriber-ip-address {

                                qualified-next-hop "$junos-interface-name";

                            }

                        }

                    }

                }

            }

            interfaces {

                "$junos-interface-ifd-name" {

                    unit "$junos-interface-unit" {

                        no-traps;

                        ppp-options {

                            chap;

                            pap;

                            mtu 1480;

                        }

                        pppoe-options {

                            underlying-interface "$junos-underlying-interface";

                            server;

                        }

                        keepalives interval 30;

                        family inet {

                            unnumbered-address "$junos-loopback-interface";

                        }

                    }

                }

            }

        }

        PPPoE-Rate-Limit {

            variables {

                up-rate {

                    default-value 32k;

                    mandatory;

                }

                down-rate {

                    default-value 32k;

                    mandatory;

                }

                filter-up uid;

                filter-down uid;

                shaper-up uid;

                shaper-down uid;

            }

            interfaces {

                "$junos-interface-ifd-name" {

                    unit "$junos-interface-unit" {

                        family inet {

                            filter {

                                input "$filter-up";

                                output "$filter-down";

                            }

                        }

                    }

                }

            }

            firewall {

                family inet {

                    filter "$filter-up" {

                        interface-specific;

                        term accept {

                            then {

                                policer "$shaper-up";

                                service-filter-hit;

                                accept;

                            }

                        }

                    }

                    filter "$filter-down" {

                        interface-specific;

                        term accept {

                            then {

                                policer "$shaper-down";

                                service-filter-hit;

                                accept;

                            }

                        }

                    }

                }

                policer "$shaper-up" {

                    filter-specific;

                    logical-interface-policer;

                    if-exceeding {

                        bandwidth-limit "$up-rate";

                        burst-size-limit 1024000000;

                    }

                    then discard;

                }

                policer "$shaper-down" {

                    filter-specific;

                    logical-interface-policer;

                    if-exceeding {

                        bandwidth-limit "$down-rate";

                        burst-size-limit 1024000000;

                    }

                    then discard;

                }

            }

        }

    }

    system {

        host-name BRAS-SDT-01;

        time-zone America/Sao_Paulo;

        no-multicast-echo;

        no-redirects;

        no-ping-record-route;

        no-ping-time-stamp;

        internet-options {

            inactive: icmpv4-rate-limit packet-rate 10;

            path-mtu-discovery;

            tcp-drop-synfin-set;

            ipv6-path-mtu-discovery;

            no-tcp-reset drop-all-tcp;

        }

        root-authentication {

            encrypted-password "$5$hy7U0vlP$QVeRDU.QYm7vE4gK6CVqK6tqcU4NDAh1OeIG71w64I5"; ## SECRET-DATA

        }

        name-server {

            A.B.C.D;

        }

        dynamic-profile-options {

            versioning;

        }

        radius-options {

            attributes {

                nas-ip-address 10.20.1.114;

            }

        }

        login {

            user teste {

                uid 2010;

                class super-user;

                authentication {

                    encrypted-password "$5$lnXHStnE$UUsB1v4ePNe2a4HB9ajIl1B1qLfEJN5IRXV3EztE0CC"; ## SECRET-DATA

                }

            }

        }

        services {

            ssh {

                protocol-version v2;

            }

            telnet;

            subscriber-management {

                enable;

            }

        }

        syslog {

            user * {

                any emergency;

            }

            file messages {

                any notice;

                authorization info;

            }

            file interactive-commands {

                interactive-commands any;

            }

        }

        configuration-database {

            max-db-size 104857600;

        }

        processes {

            general-authentication-service {

                traceoptions {

                    file auth-geral.log size 10m files 4 world-readable;

                    flag address-assignment;

                    flag user-access;

                    flag radius;

                    inactive: flag session-db;

                    inactive: flag profile-db;

                    flag all;

                }

            }

        }

    }

    chassis {

        network-services enhanced-ip;

    }

    access-profile PPPoE-Access-Profile;

    interfaces {

        xe-2/0/0 {

            unit 0 {

                family inet {

                    address 10.20.1.114/24;

                }

            }

        }

        xe-2/0/1 {

            vlan-tagging;

            unit 1000 {

                encapsulation ppp-over-ether;

                vlan-id 1000;

                pppoe-underlying-options {

                    access-concentrator TESTE_NAS;

                    duplicate-protection;

                    dynamic-profile PPPoE-Profile;

                    service-name-table PPPoE-Table;

                }

            }

        }

        fxp0 {

            unit 0 {

                family inet;

            }

        }

    }

    routing-options {

        static {

            route 0.0.0.0/0 next-hop 10.20.1.1;

        }

    }

    protocols {

        ppp-service {

            traceoptions {

                file ppps.log size 10m world-readable;

                level all;

                flag all;

            }

        }

        ppp {

            traceoptions {

                file ppp.log size 10m files 8 world-readable;

                level all;

                flag all;

            }

        }

        pppoe {

            traceoptions {

                file pppoe.log size 10m files 8 world-readable;

                level all;

                flag all;

            }

            service-name-tables PPPoE-Table {

                service any {

                    terminate;

                }

                service empty {

                    terminate;

                }

            }

        }

    }

    access {

        radius-server {

           A.B.C.D {

                port 1812;

                accounting-port 1813;

                secret "$9$tiavu1hLX-dwgM8aUji.muOBIyl"; ## SECRET-DATA

                timeout 40;

                retry 3;

                accounting-timeout 20;

                accounting-retry 6;

            }

        }

        radius-disconnect-port 3799;

        radius-disconnect {

            189.90.192.16 secret "$9$nysU/tOeK8L7Vyls4aJDj/CApIE"; ## SECRET-DATA

        }

        profile PPPoE-Access-Profile {

            accounting-order radius;

            authentication-order radius;

            domain-name-server-inet {

                A.B.C.D;

                A.B.C.D;

            }

            radius {

                authentication-server A.B.C.D;

                accounting-server A.B.C.D;

                options {

                    nas-identifier 4;

                    nas-port-id-delimiter "%";

                    nas-port-id-format {

                        nas-identifier;

                        interface-description;

                    }

                    nas-port-type {

                        ethernet ethernet;

                    }

                    calling-station-id-delimiter :;

                    calling-station-id-format {

                        mac-address;

                    }

                    accounting-session-id-format decimal;

                    client-authentication-algorithm direct;

                    client-accounting-algorithm direct;

                    service-activation {

                        dynamic-profile required-at-login;

                    }

                }

            }

            accounting {

                order radius;

                accounting-stop-on-failure;

                accounting-stop-on-access-deny;

                coa-immediate-update;

                update-interval 10;

                statistics volume-time;

                wait-for-acct-on-ack;

                send-acct-status-on-config-change;

            }

        }

        domain {

            map DEFAULT {

                access-profile PPPoE-Access-Profile;

            }

        }

        radius-options {

            unique-nas-port {

                chassis-id 1;

                chassis-id-width 7;

            }

        }

    }

     

    My freeradius is sending this reply attribute:

     

    Radius service activate attribute is being sent with this value: PPPoE-Rate-Limit(5120k,10240k)

     

    Can someone help me with this.

     

    Thanks.



  • 2.  RE: PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

     
    Posted 08-16-2018 18:00

    Hi,

     

    Could you share the exact set of VSA your're returning from Radius Server? You can get from the authd logs.

    Also, have you tried to manually activate the service to validate you config?

     

    > request network-access aaa subscriber add session-id <inputSubscriberSessionIdHere> service-profile PPPoE-Rate-Limit

     

     



  • 3.  RE: PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

     
    Posted 08-16-2018 20:04

    I tried your config and ran into the same issue.

     

    re0# run show log authd | match fail
    Aug 17 08:16:04.434643 dynamicRequestDecode: Activation Failure (denied) of service required-at-login: service-name "PPPoE-Rate-Limit(5120k,10240k)"
    Aug 17 08:16:04.434655 setDynamicProfileUpdateFailCause: dynamicProfileUpdateResult 5
    Aug 17 08:16:04.434665 setDynamicProfileUpdateErrorMsg: dynamicProfileUpdateErrorMsg: 122 Execution failure
    Aug 17 08:16:04.434780 SEQ SendClientMsg:jpppd-client session-id:12150 reply-code=2 (FAIL), result-subopcode=39 (CONFIG_ERROR), cookie=17, ex_cookie=67, rply_len=4480, num_tlv_blocks=2
    Aug 17 08:16:04.436685 dynamicRequestDecode: Activation Failure (denied) of service required-at-login: service-name "PPPoE-Rate-Limit(5120k,10240k)"
    Aug 17 08:16:04.436696 setDynamicProfileUpdateFailCause: dynamicProfileUpdateResult 5
    Aug 17 08:16:04.436706 setDynamicProfileUpdateErrorMsg: dynamicProfileUpdateErrorMsg: 122 Execution failure
    Aug 17 08:16:04.436814 SEQ SendClientMsg:jpppd-client session-id:12151 reply-code=2 (FAIL), result-subopcode=39 (CONFIG_ERROR), cookie=18, ex_cookie=67, rply_len=4480, num_tlv_blocks=2

     

    -> To fix this, remove any quote if any and add a space between the profile name and ratelimit value.

     

    Problem Condition:

     

    Aug 17 08:16:04.435080 radius-access-accept: Activate-Service (Juniper-ERX-VSA) received: Tag (1) "PPPoE-Rate-Limit(5120k,10240k)"

    Aug 17 08:16:04.436630 ServiceActivate: request="PPPoE-Rate-Limit(5120k,10240k)", serviceName="PPPoE-Rate-Limit, serviceString="PPPoE-Rate-Limit(5120k,10240k)"

     

    Working Condition: It should be like this:

     

    Aug 17 08:18:31.531866 radius-access-accept: Activate-Service (Juniper-ERX-VSA) received: Tag (1) PPPoE-Rate-Limit (5120k,10240k)

    Aug 17 08:18:31.535297 ServiceActivate: request=PPPoE-Rate-Limit (5120k,10240k), serviceName=PPPoE-Rate-Limit, serviceString=PPPoE-Rate-Limit(5120k,10240k)
    Aug 17 08:18:31.535309 ServiceActivate::validateRequest
    Aug 17 08:18:31.535348 ServiceAtLoginRequest::validateRequest
    Aug 17 08:18:31.829103 ServiceActivate: request=PPPoE-Rate-Limit, serviceName=PPPoE-Rate-Limit, serviceString=PPPoE-Rate-Limit

     

    -> I hope you're returning this VSA from Radius to Activate the service is:

    Unisphere-Service-Activate-tag1

     

    -> String Value Returning from Radius:

    PPPoE-Rate-Limit (5120k,10240k)

     

     Here is my test output using your configuration:

     

    re0# run show subscribers extensive
    Type: VLAN
    Logical System: default
    Routing Instance: default
    Interface: demux0.3221226163
    Interface type: Dynamic
    Underlying Interface: ae22
    Dynamic Profile Name: VLAN
    Dynamic Profile Version: 1
    State: Active
    Session ID: 12152
    PFE Flow ID: 764
    VLAN Id: 2000
    Login Time: 2018-08-17 08:18:31 IST

    Type: PPPoE
    User Name: karand-pppoe@jnpr.net
    IP Address: 10.100.0.7
    IP Netmask: 255.255.255.255
    Domain name server inet: 10.1.2.3 10.1.2.3
    Logical System: default
    Routing Instance: default
    Interface: pp0.3221226164
    Interface type: Dynamic
    Underlying Interface: demux0.3221226163
    Dynamic Profile Name: PPPoE-Profile
    Dynamic Profile Version: 1
    MAC Address: 00:11:01:00:00:01
    State: Active
    Radius Accounting ID: 12153
    Session ID: 12153
    PFE Flow ID: 766
    VLAN Id: 2000
    Login Time: 2018-08-17 08:18:31 IST
    Service Sessions: 1
    IP Address Pool: dhcpv4

       Service Session ID: 12155
       Service Session Name: PPPoE-Rate-Limit
       Service Session Version: 1
       State: Active
       Family: inet
       IPv4 Input Filter Name: filter-up_UID1005-pp0.3221226164-in
       IPv4 Output Filter Name: filter-down_UID1007-pp0.3221226164-out
       Service Activation time: 2018-08-17 08:18:31 IST
       Dynamic configuration:
         down-rate: 10240k
         filter-down: filter-down_UID1007
         filter-up: filter-up_UID1005
         shaper-down: shaper-down_UID1006
         shaper-up: shaper-up_UID1004
         up-rate: 5120k

     

     

    To check dynamic-profile PPPoE-Rate-Limit service attached to subscriber interface, use this command:

     

    re0# run show dynamic-profile session client-id 12153
    PPPoE-Profile {
        routing-instances {
            default {
                interface pp0.3221226164;
            }
        }
        interfaces {
            pp0 {
                unit 3221226164 {
                    ppp-options {
                        chap;
                        pap;
                        authentication chap;
                        authentication pap;
                    }
                    pppoe-options {
                        underlying-interface demux0.3221226163;
                        server;
                    }
                    family {
                        inet {
                            unnumbered-address lo0.0;
                        }
                    }
                }
            }
        }
    }
    PPPoE-Rate-Limit {
        interfaces {
            pp0 {
                unit 3221226164 {
                    family {
                        inet {
                            filter {
                                input filter-up_UID1005;
                                output filter-down_UID1007;
                            }
                        }
                    }
                }
            }
        }
        firewall {
            family {
                inet {
                    filter filter-up_UID1005 {
                        interface-specific;
                        term accept {
                            then {
                                policer shaper-up_UID1004;
                                service-filter-hit;
                                accept;
                            }
                        }
                    }
                    filter filter-down_UID1007 {
                        interface-specific;
                        term accept {
                            then {
                                policer shaper-down_UID1006;
                                service-filter-hit;
                                accept;
                            }
                        }
                    }
                }
            }
            policer shaper-up_UID1004 {
                filter-specific;
                logical-interface-policer;
                if-exceeding {
                    bandwidth-limit 5120k;
                    burst-size-limit 1024000000;
                }
                then discard;
            }
            policer shaper-down_UID1006 {
                filter-specific;
                logical-interface-policer;
                if-exceeding {
                    bandwidth-limit 10240k;
                    burst-size-limit 1024000000;
                }
                then discard;
            }
        }
    }

     

    Let me know if you have any doubts.

     



  • 4.  RE: PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

    Posted 08-20-2018 04:44

    Hi everyone,

     

    Thanks a lot for your support. In my case, the problem was a missing IP address in the lo0 interface. As there is a reference to $junos-loopback-interface as the unnumbered address, the IPCP protocol was failing:

     

    lo0 {

        unit 0 {

            family inet {

                address 172.31.100.100/32;

            }

        }

    }

     

    Just added this to the config and it worked. 



  • 5.  RE: PPPoE Dynamic Profiles and Radius Service-Activate attribute problem

    Posted 06-09-2023 06:32
    Edited by PREET PILLAI 06-09-2023 06:33

    getting connect disconnect issue for pppoe in MX480 

    un  9 15:46:05.909201 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:06.208953  ======= Accounting STOP-on-Fail triggered ==============
    Jun  9 15:46:06.209141 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:06.209808 accFsmExecute::new state=Acc-Stop-On-Fail-Deny-Sent(5)
    Jun  9 15:46:06.213355 AccFsm::current state=Acc-Stop-On-Fail-Deny-Sent(5) event=11 session-id:9094
    Jun  9 15:46:06.508963 UserAccess:Test_24 session-id:9094 state:log-out ae10.demux0.1111:1111 reason: ppp subscriber-mgr-activation-failed
    Jun  9 15:46:07.309348 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:07.608900  ======= Accounting STOP-on-Fail triggered ==============
    Jun  9 15:46:07.609092 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:07.609766 accFsmExecute::new state=Acc-Stop-On-Fail-Deny-Sent(5)
    Jun  9 15:46:07.613587 AccFsm::current state=Acc-Stop-On-Fail-Deny-Sent(5) event=11 session-id:9096
    Jun  9 15:46:07.908972 UserAccess:Test_24 session-id:9096 state:log-out ae10.demux0.1111:1111 reason: ppp subscriber-mgr-activation-failed
    Jun  9 15:46:08.709267 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:09.108901  ======= Accounting STOP-on-Fail triggered ==============
    Jun  9 15:46:09.109086 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:09.109758 accFsmExecute::new state=Acc-Stop-On-Fail-Deny-Sent(5)
    Jun  9 15:46:09.113523 AccFsm::current state=Acc-Stop-On-Fail-Deny-Sent(5) event=11 session-id:9098
    Jun  9 15:46:09.408719 UserAccess:Test_24 session-id:9098 state:log-out ae10.demux0.1111:1111 reason: ppp subscriber-mgr-activation-failed
    Jun  9 15:46:10.309559 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:10.608874  ======= Accounting STOP-on-Fail triggered ==============
    Jun  9 15:46:10.609055 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:10.609690 accFsmExecute::new state=Acc-Stop-On-Fail-Deny-Sent(5)
    Jun  9 15:46:10.613487 AccFsm::current state=Acc-Stop-On-Fail-Deny-Sent(5) event=11 session-id:9100
    Jun  9 15:46:10.908947 UserAccess:Test_24 session-id:9100 state:log-out ae10.demux0.1111:1111 reason: ppp subscriber-mgr-activation-failed
    Jun  9 15:46:11.709744 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:12.008589  ======= Accounting STOP-on-Fail triggered ==============
    Jun  9 15:46:12.008795 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:12.009468 accFsmExecute::new state=Acc-Stop-On-Fail-Deny-Sent(5)
    Jun  9 15:46:12.012749 AccFsm::current state=Acc-Stop-On-Fail-Deny-Sent(5) event=11 session-id:9102
    Jun  9 15:46:12.308665 UserAccess:Test_24 session-id:9102 state:log-out ae10.demux0.1111:1111 reason: ppp subscriber-mgr-activation-failed
    Jun  9 15:46:13.109240 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:13.508707  ======= Accounting STOP-on-Fail triggered ==============
    Jun  9 15:46:13.508901 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:13.509597 accFsmExecute::new state=Acc-Stop-On-Fail-Deny-Sent(5)
    Jun  9 15:46:13.513407 AccFsm::current state=Acc-Stop-On-Fail-Deny-Sent(5) event=11 session-id:9104
    Jun  9 15:46:13.808701 UserAccess:Test_24 session-id:9104 state:log-out ae10.demux0.1111:1111 reason: ppp subscriber-mgr-activation-failed
    Jun  9 15:46:14.709279 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:15.008580  ======= Accounting STOP-on-Fail triggered ==============
    Jun  9 15:46:15.008764 Failed to correlate access line for UIFL "demux0.1111"
    Jun  9 15:46:15.009420 accFsmExecute::new state=Acc-Stop-On-Fail-Deny-Sent(5)
    Jun  9 15:46:15.012838 AccFsm::current state=Acc-Stop-On-Fail-Deny-Sent(5) event=11 session-id:9106
    Jun  9 15:46:15.308637 UserAccess:Test_24 session-id:9106 state:log-out ae10.demux0.1111:1111 reason: ppp subscriber-mgr-activation-failed
    Jun  9 15:46:16.109260 Failed to correlate access line for UIFL "demux0.1111"

    After getting connected the below output is showing but again get disconnected

    R01_BNG> show subscribers extensive
    Type: PPPoE
    User Name: Test_24
    IP Address: 100.81.2.253
    IP Netmask: 255.255.255.255
    Domain name server inet: 8,8,8,8 1.1.1.1
    Domain name server inet6: 2001:4860:4860::8888 2606:4700:4700::1111
    Logical System: default
    Routing Instance: BNG_1
    Interface: pp0.3221230482
    Interface type: Dynamic
    Underlying Interface: demux0.1111
    Dynamic Profile Name: TR-ip4_v6-ra
    Dynamic Profile Version: 1
    MAC Address: 4c:ae:1c:3d:5f:95
    Idle Timeout (seconds): 600
    Idle Timeout Ingress Only: TRUE
    State: Init
    Radius Accounting ID: 9746
    Session ID: 9746
    PFE Flow ID: 10606
    VLAN Id: 1111
    Login Time: 2023-06-09 15:56:42 IST
    IP Address Pool-ALM-TEST



    ------------------------------
    PREET PILLAI
    ------------------------------