[j-nsp] Ascend-??? radius attributes on Juniper ERX

Goldschmidt, Bernd bernd.goldschmidt at siemens.com
Wed Mar 29 08:06:28 EST 2006 

Hello,

the ERX expect the Ascend-Data-Filter in a special attribute format (abinary).
If the format is incorrect, the ERX will ignore the Attribute, see the test below.
We use a free-radius in our lab.

Gruß
Bernd.

##########################################################################
/etc/raddb/dictionary.ascend
##########################################################################
ATTRIBUTE       X-Ascend-Data-Filter      242     abinary
...
ATTRIBUTE       Attr242                   242     abinary # stupid format
...
ATTRIBUTE       Ascend-Data-Filter        242     string          

-> special format-typ needed


##########################################################################
/etc/raddb/users
##########################################################################
ascend2         Auth-Type := local, User-Password == "ascend"
                X-Ascend-Data-Filter = "ip in drop dstip 100.9.2.24/32"

ascend3         Auth-Type := local, User-Password == "ascend"
                Ascend-Data-Filter = "ip in drop dstip 100.9.2.24/32"

ascend          Auth-Type := local, User-Password == "ascend"
                Attr242 = "ip in drop dstip 100.9.2.24/32",
                Attr242 += "ip in forward srcip 10.20.197.25/32",
                Attr242 += "ip in drop"

##########################################################################
Test
##########################################################################
burkhard#test aaa ppp ascend ascend
************ user attributes *************
Authentication Grant
    idle Timeout - 0
    session Timeout - 0
    accounting Timeout - 600
    Client IP Address - 100.1.1.9
    Client IP Netmask - 255.255.255.255
    Client IPv6 Interface Id - 0:0:0:0
    primary DNS IP Address - 149.246.3.2
    secondary DNS IP Address - 139.24.238.200
    primary IPv6 DNS IP Address - ::
    secondary IPv6 DNS IP Address - ::
    primary WINS IP Address - 192.168.2.176
    secondary WINS IP Address - 192.168.2.176
    SA Validate - disabled
    IGMP - disabled
    router context - default
    local interface - loopback 0
    IPv6 router context - default
    IPv6 local interface - <NULL>
    filter command 1 0 1 0 0 0 0 0 d9 59 1d f7 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0
    filter command 1 1 1 0 a 14 c5 f6 0 0 0 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0
    filter command 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0
IPv6 inhibited
************ no ppp attributes *************
pausing 5 seconds before disconnecting test user, ascend
burkhard#test aaa ppp ascend2 ascend
************ user attributes *************
Authentication Grant
    idle Timeout - 0
    session Timeout - 0
    accounting Timeout - 600
    Client IP Address - 100.1.1.10
    Client IP Netmask - 255.255.255.255
    Client IPv6 Interface Id - 0:0:0:0
    primary DNS IP Address - 149.246.3.2
    secondary DNS IP Address - 139.24.238.200
    primary IPv6 DNS IP Address - ::
    secondary IPv6 DNS IP Address - ::
    primary WINS IP Address - 192.168.2.176
    secondary WINS IP Address - 192.168.2.176
    SA Validate - disabled
    IGMP - disabled
    router context - default
    local interface - loopback 0
    IPv6 router context - default
    IPv6 local interface - <NULL>
    filter command 1 0 1 0 0 0 0 0 d9 59 1d f7 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0
IPv6 inhibited
************ no ppp attributes *************
pausing 5 seconds before disconnecting test user, ascend2
burkhard#test aaa ppp ascend3 ascend
************ user attributes *************
Authentication Grant
    idle Timeout - 0
    session Timeout - 0
    accounting Timeout - 600
    Client IP Address - 100.1.1.11
    Client IP Netmask - 255.255.255.255
    Client IPv6 Interface Id - 0:0:0:0
    primary DNS IP Address - 149.246.3.2
    secondary DNS IP Address - 139.24.238.200
    primary IPv6 DNS IP Address - ::
    secondary IPv6 DNS IP Address - ::
    primary WINS IP Address - 192.168.2.176
    secondary WINS IP Address - 192.168.2.176
    SA Validate - disabled
    IGMP - disabled
    router context - default
    local interface - loopback 0
    IPv6 router context - default
    IPv6 local interface - <NULL>
IPv6 inhibited
************ no ppp attributes *************
pausing 5 seconds before disconnecting test user, ascend3
burkhard#
######


 

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Blaz Zupan
> Sent: Tuesday, March 28, 2006 7:43 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Ascend-??? radius attributes on Juniper ERX
> 
> Is there a reason why Ascend-Data-Filter would be ignored on 
> a Juniper ERX 
> BRAS? We do not have direct access to the BRAS (it is own by 
> the incumbent 
> telco) but would like to configure filters using 
> Ascend-Data-Filter. According 
> to the Juniper documentation, the attribute is supported and 
> there are no 
> special commands to turn it on. The same radius profile works 
> just fine with a 
> Cisco BRAS, so it must be something specific to the ERX. 
> Interesting enough, 
> the Ascend-Client-Primary-Dns attribute does not work either, 
> it should also 
> be supported according to the documentation. So the problem 
> seems to be 
> specific to the Ascend-* attributes, other VSAs work just 
> fine (like the 
> Unisphere-* VSAs, for example Unisphere-Primary-Dns).
> 
> And no, we do not want to Unisphere-Ingress-Policy-Name and 
> Unisphere-Egress-Policy-Name, as we want to control the 
> filters from the 
> radius server not select an already preconfigured filter on the BRAS.
> 
> Any help will be appreciated.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list