[j-nsp] subscriber access on MX

Marlon Duksa mduksa at gmail.com
Mon Sep 29 15:50:01 EDT 2008


Hi, Does anyone know how to activate (apply) Radius authentication for
subscriber management on an MX node?

I have subscribers configured for dynamic access through an external DHCP
server.
For some reason, I'm getting the DHCP address without being first
authenticated on MX through Radius. I'm monitoring my Radius server and no
requests for authentication are coming in at all.

It looks like the dynamic AAA needs to be applied somewhere but I'm not sure
where. The documentation (subscriber access) mention 'logical-systems'
 hierarchy but this hierarchy does not exist on Junos 9.2.

Here is my config:

# these are dynamic-profiles that should be active on the access interfaces
dynamic-profiles {
    basic-profile {
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-underlying-interface-unit";
            }
        }
    }
}


# these two are the access interfaces
interfaces {
    ge-0/0/0 {
        vlan-tagging;
        unit 1 {
            vlan-id 1;
            family inet {
                unnumbered-address lo0.0 preferred-source-address 1.1.1.1;
            }
        }
        unit 2 {
            vlan-id 2;
            family inet {
                unnumbered-address lo0.0 preferred-source-address 1.1.1.1;
            }
        }
    }
# this is dhcp -relay config and this works fine, I'm getting IP address
assigned
forwarding-options {
    dhcp-relay {
        server-group {
            test {
                10.0.0.100;
            }
        }
        group test1 {
            active-server-group test;
            interface ge-0/0/0.1;
            interface ge-0/0/0.2;
        }
    }
}


# this is my Radius profile
access {
    radius-server {
        114.0.1.10 secret "$9$4DZGi.PQ/9pTz9pB1rl4aZUk."; ## SECRET-DATA
    }
    profile subs {
        authentication-order radius;
        radius {
            authentication-server 114.0.1.10;
        }
    }
}

This is how I think should be applied
access-profile subs;





Thanks,
Marlon


More information about the juniper-nsp mailing list