[j-nsp] Restricting RADIUS Routes for E120

Truman Boyes truman at suspicious.org
Mon Aug 25 08:37:09 EDT 2008


Hi Amr,

Your RADIUS server is located upstream from the E120 right? Ie. It is  
not an access-internal route but rather it is reachable via another  
protocol such as BGP, static, or OSPF. Adjusting protocol preferences  
is less than ideal and you should avoid this in almost all designs.

Why do you say that the performance of the E120 is affected by the  
default route that is assigned to a user?

You can issue 'radius ignore <attribute>' commands to ignore specific  
RADIUS messages that are included in the access-accept. I would not  
just fix the problem here if the issue is really a mistake in a RADIUS  
profile upstream; that would be the best place to fix the issue.

Truman


On 25/08/2008, at 2:21 AM, Amr wrote:

> Dear All,
>            I have a problem in my E120 Router , where i have  
> configured the
> RADIUS Server to send to the Users on the E120 thier IP Subnet so  
> that the
> IP subnets of the users will be "Access-internal" routes as below
>
> E120#sh ip route 10.10.10.10
>  Protocol/Route type codes:
>  I1- ISIS level 1, I2- ISIS level2,
>  I- route type intra, IA- route type inter, E- route type external,
>  i- metric type internal, e- metric type external,
>  P- periodic download, O- OSPF, E1- external type 1, E2- external  
> type2,
>  N1- NSSA external type1, N2- NSSA external type2
>  L- MPLS label, V- VRF, *- via indirect next-hop
>  Prefix/Length      Type       Next Hop      Dst/Met
> Interface
> ------------------ --------- --------------- ----------
> -----------------------
> 10.10.10.10/32   *AccIntern *0.0.0.0         2/0
> GigabitEthernet3/0/0.505252.59
>
>
> but by mistake someone configured the RADIUS to send the default route
> (0.0.0.0.0/0) for a specific user which affects the performance of  
> the E120
> router and modifyed the current default route learned by OSPF
>
> So the Question is
> Is it possible to restrict the routes the comes from the RADIUS  
> Server and
> not accepting it all (e.g denying the default route from the radius) ?
> or
>
> Is it possible to modify the admin distance for the Access-internal  
> routes
> so that it will be higher that the dynamic default route configured  
> on the
> E120 router ?
>
> Appreciate your help
>
> Thanks In Advance
>
> Regards
> Amr
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list