Hello.
I'm testing IPoE dynamic subscriber management on vMX and encounter one problem.
I'm trying to set "$junos-input-filter" and "$junos-output-filter" on dynamic interface with values received from RADIUS.
Here is dynamic profile:
user# show dynamic-profiles
DYNINTF-2VLANS-DHCP-INET {
predefined-variable-defaults {
output-filter limit5mbit;
input-filter limit5mbit;
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
proxy-arp restricted;
vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
family inet {
filter {
input "$junos-input-filter";
output "$junos-output-filter";
}
unnumbered-address lo0.0 preferred-source-address xx.xx.xx.1;
}
}
}
}
}
[edit]
Here are filters & policers:
user# show firewall
family inet {
filter limit10mbit {
interface-specific;
term 1 {
then policer police10mbit;
}
}
filter limit5mbit {
interface-specific;
term 1 {
then policer police5mbit;
}
}
policer police10mbit {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 100k;
}
then discard;
}
policer police5mbit {
if-exceeding {
bandwidth-limit 5m;
burst-size-limit 100k;
}
then discard;
}
Here are test connection:
user# run show dhcp server binding
IP address Session Id Hardware address Expires State Interface
xx.xx.xx.12 40 bc:24:11:90:55:ca 2809 BOUND ge-0/0/1.3221225510
user# run show interfaces ge-0/0/1.3221225510 extensive
Logical interface ge-0/0/1.3221225510 (Index 536870990) (SNMP ifIndex 200000078) (Generation 57)
Flags: Up VLAN-Tag [ 0x8100.123 0x8100.10 ] Encapsulation: ENET2
Demux:
Underlying interface: ge-0/0/1 (Index 150)
Bandwidth: 0
Traffic statistics:
Input bytes : 4660
Output bytes : 73307
Input packets: 26
Output packets: 1438
Local statistics:
Input bytes : 4436
Output bytes : 4056
Input packets: 22
Output packets: 22
Transit statistics:
Input bytes : 224 0 bps
Output bytes : 69251 0 bps
Input packets: 4 0 pps
Output packets: 1416 0 pps
Protocol inet, MTU: 1500
Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
Generation: 0, Route table: 0
Flags: Unnumbered
Donor interface: lo0.0 (Index 320)
Preferred source address: xx.xx.xx.1
Input Filters: limit5mbit-ge-0/0/1.3221225510-in <--- look at this !
Output Filters: limit5mbit-ge-0/0/1.3221225510-out <--- look at this !
Addresses, Flags: Is-Primary
Destination: Unspecified, Local: xx.xx.xx.1, Broadcast: Unspecified, Generation: 0
As you can see default variable values ("limit5mbit") are attached to dynamic interface though different values are received from RADIUS:
Excerpt from log:
Nov 20 12:26:07.355747 Parsing RADIUS message for session-id:40
Nov 20 12:26:07.355776 radius-access-accept: Egress-Policy-Name (Juniper-ERX-VSA) received: limit10mbit <--- look at this !
Nov 20 12:26:07.355787 radius-access-accept: Ingress-Policy-Name (Juniper-ERX-VSA) received: limit10mbit <--- look at this !
Nov 20 12:26:07.355795 Framework - module(radius) return: SUCCESS
Full log:
Nov 20 12:26:07.334202 findSession AST-Table couldn't find the session-id:40
Nov 20 12:26:07.334224 Process/Dispatch Client Message
Nov 20 12:26:07.334231 New Process/Dispatch Client Message
Nov 20 12:26:07.334244 authd_tlv_build_list_from_struct username l =1 offset =56
Nov 20 12:26:07.334252 authd_tlv_build_list_from_struct profile l =1 offset =57
Nov 20 12:26:07.334259 authd_tlv_build_list_from_struct password l =1 offset =58
Nov 20 12:26:07.334267 authd_auth_aaa_msg_create: num_of_tlvs:0 tot_num_of_tlv:0
Nov 20 12:26:07.334273 authd_auth_aaa_msg_create username:() profile:()
Nov 20 12:26:07.334280 Process Request
Nov 20 12:26:07.334289 SEQ RecvClientMsg:jdhcpd-client session-id:40 Opcode:65, Subcode:0 (ACCESS_REQUEST)
Nov 20 12:26:07.334320 Taking a client snapshot, session-id:40
Nov 20 12:26:07.334333 getSubscriberAaaOptionsName
Nov 20 12:26:07.334346 authd_build_req_attr_list_from_sdb_data: The request list is from sdb
Nov 20 12:26:07.334366 createSubscriberSession session-id:40
Nov 20 12:26:07.334373 Taking a client snapshot, session-id:40
Nov 20 12:26:07.334388 createSubscriberSession UserName (bc24.1190.55ca) for session-id:40 from SDB
Nov 20 12:26:07.334396 createSubscriberSession SDB_CLIENT_SESSION_TYPE is 1
Nov 20 12:26:07.334425 AaaService::RoutingContext::ctor/default, ls default, ri default, tn null
Nov 20 12:26:07.334433 AaaService::RoutingContext::ctor/default, ls default, ri default, tn null
Nov 20 12:26:07.334444 Creating SubscriberASTEntry for session-id:40, session name:bc24.1190.55ca
Nov 20 12:26:07.334459 fillSessionDBAttributes: attr type 10003
Nov 20 12:26:07.334466 fillSessionDBAttributes: attr type 10005
Nov 20 12:26:07.334472 fillSessionDBAttributes: attr type 10015
Nov 20 12:26:07.334477 fillSessionDBAttributes: attr type 10185
Nov 20 12:26:07.334488 fillSessionDBAttributes: session-id:40, ifdName: ge-0/0/1
Nov 20 12:26:07.334505 initialize: No access-profile found in the SDB for session-id:40
Nov 20 12:26:07.334513 initialize: Bbe Domain Id found in the SDB for session-id:40
Nov 20 12:26:07.334520 initialize: PhyIfdName found in the SDB for session-id:40
Nov 20 12:26:07.334528 initialize: InterfaceName found in the SDB for session-id:40
Nov 20 12:26:07.334541 initialize: aaa ls:default aaa ri:default; target ls:default target ri: default
Nov 20 12:26:07.334553 AaaService::RoutingContext::assign, ls default, ri default, tn null
Nov 20 12:26:07.334564 setTargetRoutingContextdefault:default
Nov 20 12:26:07.334573 AaaService::RoutingContext::assign, ls default, ri default, tn null
Nov 20 12:26:07.334580 setRoutingContext: Querying the access-profile for user:bc24.1190.55ca on LR/RI:default:default
Nov 20 12:26:07.334590 setRoutingContext: Access Profile Name from context is <RADIUS>)
Nov 20 12:26:07.334607 authd_build_radius_nas_port_and_id: nas-port-id-format order is disabled
Nov 20 12:26:07.334621 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
Nov 20 12:26:07.334628 Taking a client snapshot, session-id:40
Nov 20 12:26:07.334634 authd_get_auth_request_nas_attr: No Agent Circuit ID attribute from SDB
Nov 20 12:26:07.334643 authd_get_auth_request_nas_attr: No Agent Remote ID attribute from SDB
Nov 20 12:26:07.334649 authd_get_auth_request_nas_attr: No interface ATM VPI attribute from SDB
Nov 20 12:26:07.334654 authd_get_auth_request_nas_attr: No interface ATM VCI attribute from SDB
Nov 20 12:26:07.334659 authd_get_auth_request_nas_attr: Recovered from SDB - VPI:-1 VCI:-1 NasPortType:15
Nov 20 12:26:07.334674 NASPortID ins and outs: phy = [ge-0/0/1] ifn = [ge] uifn = [ge-0/0/1.3221225510], ae:0 s:0 a:0 p:1 c:0 su:3221225510 sv:123 v:10
Nov 20 12:26:07.334700 authd_get_interface_nas_port_options Interface Radius-Options for Interface ge-0/0/1 not found
Nov 20 12:26:07.334717 Taking a client snapshot, session-id:40
Nov 20 12:26:07.334752 Taking a client snapshot, session-id:40
Nov 20 12:26:07.334760 authd_build_radius_nas_port_and_id: NASPortID = ge-0/0/1.3221225510:123-10, NASPort = 40000a, CallingStationID =
Nov 20 12:26:07.334780 Finding a client snapshot session-id:40
Nov 20 12:26:07.334819 setRoutingContext: Setting multi-acct-session-id to 0
Nov 20 12:26:07.334825 setAccountingInfo: RADIUS
Nov 20 12:26:07.334830 authd_access_profile_get: profile RADIUS found
Nov 20 12:26:07.334837 setAccountingInfo: service accounting order 0
Nov 20 12:26:07.334844 updateCoaDynamicVariableValidation coaValidation: 0
Nov 20 12:26:07.334852 updateDynamicProfile: session-id:40, old dynamic profile empty, new dynamic profile empty
Nov 20 12:26:07.334859 ../../../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_subscriber_entry.cc:5137 Did not find dynamic-profile in the SDB for session-id:40
Nov 20 12:26:07.334866 JSRC: NOT calling jsrc restore function: - notify off - jsrc id empty
Nov 20 12:26:07.334872 Bundle session id not found, setting to NULL
Nov 20 12:26:07.334878 multi-acct-session-id set to 0
Nov 20 12:26:07.334888 authd_access_profile_get: profile RADIUS found
Nov 20 12:26:07.334894 access profile: RADIUS
Nov 20 12:26:07.334901 On-demand IP address set to 0
Nov 20 12:26:07.334923 SLimit: getEligibleProfile: session-limit is OFF access-profile:RADIUS session-id:40
Nov 20 12:26:07.334932 UserAccess:bc24.1190.55ca session-id:40 Access-profile:RADIUS Multi-Acct-Session-Id:0 ACCESS_REQUEST
Nov 20 12:26:07.334938 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(), username=()
Nov 20 12:26:07.334952 AuthFsm::current state=AuthInit(0) event=1 astEntry=0x4f0506c aaa msg=0x4cede4c session-id:40
Nov 20 12:26:07.334966 authd_access_profile_get: profile RADIUS found
Nov 20 12:26:07.334973 ###################################################################
Nov 20 12:26:07.334978 ########################### AUTH REQ RCVD #########################
Nov 20 12:26:07.334983 ###################################################################
Nov 20 12:26:07.334988 Auth-FSM: Process Auth-Request for session-id:40 username <bc24.1190.55ca> profile <RADIUS>
Nov 20 12:26:07.334994 Auth-FSM: Process Auth-Request V4 for session-id:40
Nov 20 12:26:07.334999 Framework: Starting authentication
Nov 20 12:26:07.335005 authd_access_profile_get: profile RADIUS found
Nov 20 12:26:07.335010 authd_advance_module_for_aaa_request_msg: result:0
Nov 20 12:26:07.335016 Authd module start session-id:40
Nov 20 12:26:07.335025 authd_radius_start_auth: Starting RADIUS authentication session-id:40
Nov 20 12:26:07.335030 authd_radius_get_config: profile RADIUS
Nov 20 12:26:07.335035 authd_radius_get_config: profile RADIUS in arm_profile_radius_tree
Nov 20 12:26:07.335040 authd_radius_get_config:Using radius option config from access profile stanza
Nov 20 12:26:07.335045 authd_access_profile_get: profile RADIUS found
Nov 20 12:26:07.335060 authd_radius_build_basic_auth_request: session-id:40 profile=RADIUS, username=bc24.1190.55ca
Nov 20 12:26:07.335069 radius-access-request: User-Name added: bc24.1190.55ca
Nov 20 12:26:07.335078 radius-access-request: User-Password added: ""
Nov 20 12:26:07.335096 Taking a client snapshot, session-id:40
Nov 20 12:26:07.335107 radius-access-request: Service-Type added: 2
Nov 20 12:26:07.335118 radius-access-request: Chargeable-User-Identity added:
Nov 20 12:26:07.335126 radius-access-request: Acct-Session-Id added: 40
Nov 20 12:26:07.335143 radius-access-request: DHCP-Options (Juniper-ERX-VSA) added: 35 01 01 32 04 55 84 56 0c 0c 0f 6e 65 74 77 6f 72 6b 2d 74 65 73 74 69 6e 67 37 0d 01 1c 02 03 0f 06 77 0c 2c 2f 1a 79 2a
Nov 20 12:26:07.335153 radius-access-request: DHCP-MAC-Address (Juniper-ERX-VSA) added: bc24.1190.55ca
Nov 20 12:26:07.335164 radius-access-request: Framed-IP-Address added: xx.xx.xx.12
Nov 20 12:26:07.335172 radius-access-request: NAS-Identifier added: Juniper-vMX
Nov 20 12:26:07.335199 radius-access-request: NAS-Port added: 00 40 00 0a
Nov 20 12:26:07.335205 radius-access-request: NAS-Port-Id added: ge-0/0/1.3221225510:123-10
Nov 20 12:26:07.335212 radius-access-request: NAS-Port-Type added: 15
Nov 20 12:26:07.335222 radius-access-request: PPPoE-Description (Juniper-ERX-VSA) added: pppoe bc:24:11:90:55:ca
Nov 20 12:26:07.335232 radius-access-request: DHCP-First-Relay-IPv4-Address (Juniper-ERX-VSA) added: xx.xx.xx.1
Nov 20 12:26:07.335260 radius-access-request: DHCP-Header (Juniper-ERX-VSA) added: 01 01 06 00 c2 49 f1 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc 24 11 90 55 ca 00 00 00 00 00 00 00 00 00 00
Nov 20 12:26:07.335276 authd_create_application_specific_radius_server: Evaluating RADIUS server 192.168.77.175 to add to the server list
Nov 20 12:26:07.335281 Evaluating RADIUS server 192.168.77.175 to add to the server list
Nov 20 12:26:07.335287 Verify source address c0a84da5 in routing instance index=0
Nov 20 12:26:07.335316 authd_radius_server_add: server 192.168.77.175 retry 5, timeout 20 acct_request 0
Nov 20 12:26:07.335325 processSessionAttributeNasAddress 40
Nov 20 12:26:07.335330 processSessionAttributeNasAddress return false
Nov 20 12:26:07.335368 Request queued successfully
Nov 20 12:26:07.335375 REQUEST: AUTHEN - module_index 0 module(radius) return: ASYNC
Nov 20 12:26:07.335391 UserAccess:bc24.1190.55ca session-id:40 state:start ge-0/0/1.3221225510:123-10
Nov 20 12:26:07.335399 Auth-FSM: GRES-Mirror for session-id:40 state:AuthStart(1)
Nov 20 12:26:07.355668 authd_radius_get_config: profile RADIUS
Nov 20 12:26:07.355682 authd_radius_get_config: profile RADIUS in arm_profile_radius_tree
Nov 20 12:26:07.355695 authd_radius_get_config:Using radius option config from access profile stanza
Nov 20 12:26:07.355700 RadiusServer: authd_radius_mark_servers_dead : 1 servers radius config, probably config changed
Nov 20 12:26:07.355706 RadiusServer: server[0] used for last request - 192.168.77.175
Nov 20 12:26:07.355720 loadDefaultService:: default service for the subscriber is empty
Nov 20 12:26:07.355725 Radius result is CLIENT_REQ_STATUS_SUCCESS
Nov 20 12:26:07.355740 authd_get_var_list: No dynamic-profile in the AST entry with session-id:40
Nov 20 12:26:07.355747 Parsing RADIUS message for session-id:40
Nov 20 12:26:07.355776 radius-access-accept: Egress-Policy-Name (Juniper-ERX-VSA) received: limit10mbit <--- look at this !
Nov 20 12:26:07.355787 radius-access-accept: Ingress-Policy-Name (Juniper-ERX-VSA) received: limit10mbit <--- look at this !
Nov 20 12:26:07.355795 Framework - module(radius) return: SUCCESS
Nov 20 12:26:07.355801 authd_advance_module_for_aaa_response_msg: result:2
Nov 20 12:26:07.355821 Taking a client snapshot, session-id:40
Nov 20 12:26:07.355834 Taking a client snapshot, session-id:40
Nov 20 12:26:07.355886 accurate-acc update for subscriber Session-id:40 accurate-acc:1
Nov 20 12:26:07.355898 Finding a client snapshot session-id:40
Nov 20 12:26:07.356009 authd_access_profile_get: profile RADIUS found
Nov 20 12:26:07.356016 authd_auth_update_local_server_address ::Searching access profile RADIUS for local DNS Server
Nov 20 12:26:07.356024 Decoding incoming attributes
Nov 20 12:26:07.356032 Subscriber attribute 10003, length 4
Nov 20 12:26:07.356039 Subscriber attribute 10005, length 4
Nov 20 12:26:07.356046 Subscriber attribute 10015, length 8
Where did I mistake, so vMX are not updating filters?
Thanks to everyone in advance for help.
------------------------------
RASHAD RUSTAMOFF
------------------------------