Junos OS

Hello

 

I have questions as for Broadband Access.

Could  ERX-310 include addition information in Acess-Request messages to RADIUS???

(For example: MAC-address, IP-address, VLAN ID).

For authentication subscribers on all parameters (Login, password, MAC-address, IP-address, VLAN ID).

I want do it for pppoe subscribers.

 

Yes, it can.

 

You may use:

MAC-address can be seen at pppoe-description attribute,

IP-address at Framed-IP-Address

Vlan ID at NAS-Port-Id.

 

You should refer to "broadband access Guide"->"Managing Radius and TACACS+" ->Configuring Radius Attributes.

 

 

For examples, this is a packet, which is send to Radius during authentication:

 

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes: ACCESS-REQUEST attributes (default)

WARNING dropped log messages: 1

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      username attr added: test

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      acct-session-id attr added: erx atm 2/0.42:100.103:0006293809

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      user-password attr added: <value withheld>

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      service-type attr added: 2

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      framed-protocol attr added: 1

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      pppoe-description (vsa) attr added: pppoe 12:34:56:78:9a:bc

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      calling-station-id attr added: #ERX-310-41-e1-b0#this is a description#100#103

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      connect-info attr added: speed:UBR:12000

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      nas-port-type attr added: 10

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      nas-port attr added: 20640067

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      nas-port-id attr added: atm 2/0.42:100.103

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      nas-ip-address attr added: xxxxxxx

DEBUG 12/02/2008 16:14:57 MSK radiusSendAttributes:      nas-identifier attr added: ERX-310-41-e1-b0 

Hello
Thank you for operative!
1.But I read in Broadband Access Config Guide that Attribute:

 radius include framed-ip-addr
  * Use to include the Framed-IP-Address attribute in Acct-Start and Acct-Stop messages.
  * You can control inclusion of the attribute by enabling or disabling this command.

  And I thing that framed-ip-addr can't include in Access-Request message to RADIUS from ERX! Could you explain???

2.On my ERX I see:
 ERX-310-43-27-af#sh radius attributes-included
   ..............................................
   framed-ip-address                n/c       n/c       n/c        enabled
   ..............................................
   nas-port-id                      enabled
   ..............................................
   pppoe-description(vsa)           enabled
   ..............................................

All this attributes enable default.

3. On radius I added two attributes for subscriber (nas-port-id, Unispher-Interface-descript) don't correct.
   But my subscriber authentificated don't care.
   Could you explain, please???

1-2. Try to do so:

- configure PPPoE profile and apply it to interface 

- configure local pool at ERX router 

- issue "test aaa" command

- issue user connection from real PC

- collect radius logs and analyze them 

 

In my lab i have following while doing so: ERX has selected IP address from local pool and sent it in Access-Request:

DEBUG 12/02/2008 18:18:28 MSK radiusSendAttributes:      framed-ip-address attr added: 10.10.10.2 

 

3. Sorry, I don't understand your question... What do you mean by saying "don't correct"?

I can provide to you my sniffer (Wireshark). But this sniff doesn't have framed_ip_address attribute.

 

Where are you from?

Do you speak russian?