[j-nsp] Fwd: subscriber access on MX

Marlon Duksa mduksa at gmail.com
Mon Sep 29 18:00:11 EDT 2008 

---------- Forwarded message ----------
From: Marlon Duksa <mduksa at gmail.com>
Date: Mon, Sep 29, 2008 at 2:58 PM
Subject: Re: [j-nsp] subscriber access on MX
To: Christopher Hartley <chartley at osc.edu>


hmm, in this case below you have the authenticator hierarchy under dot1x.
But I can't find anything similar in my case, something that would tell DHCP
clients to be authenticated via radius. I have the radius server and profile
under the access hierarchy but I don't know how to apply this to my dynamic
profiles.

In this below, where is the connection between the profile 'subs' (where I
defined radius server) and my DHCP clients coming inon the access
interfaces?

access {
    radius-server {
        114.0.1.10 secret "$9$4DZGi.PQ/9pTz9pB1rl4aZUk."; ## SECRET-DATA
    }
    profile subs {
        authentication-order radius;
        radius {
            authentication-server 114.0.1.10;
        }
    }
}
access-profile subs;


forwarding-options {
    dhcp-relay {
        server-group {
            test {
                10.0.0.100;
            }
        }
        group test1 {
            active-server-group test;
            dynamic-profile basic-profile;
            interface ge-0/0/0.1;
            interface ge-0/0/0.2;
        }
    }
}


dynamic-profiles {
    basic-profile {
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-underlying-interface-unit";
            }
        }
    }
}
On Mon, Sep 29, 2008 at 1:07 PM, Christopher Hartley <chartley at osc.edu>wrote:

> How about something like the following.  Note that this is for an EX,
> but it should be the same?
>
> I enabled system authentication-order radius so as to test prior to
> enabling for
> an authenticator....  EAP will pick your authentication mechanism.  I'm
> using
> eapmd5...
>
> system {
> ...
>    authentication-order [ radius password ];
> ...
>    radius-server {
>        <REMOVED> {
>            secret "<REMOVED>"; ## SECRET-DATA
>            source-address <REMOVED>;
>        }
>    }
> ...
> }
>
> test at junEX> show configuration protocols dot1x
> traceoptions {
>    file dot1x-trace world-readable;  # for debugging if necessary...
> }
> authenticator {
>    authentication-profile-name rad1;
>    interface {
>        ge-0/0/0.0 {
>            supplicant single-secure;
>            retries 5;
>            no-reauthentication;
>            server-timeout 30;
>            maximum-requests 10;
>            guest-vlan guest1;
>        }
>    }
> }
>



>
> I look forward to seeing your resolution..
>
> >>> "Marlon Duksa" <mduksa at gmail.com> 09/29/08 3:54 PM >>>
> Hi, Does anyone know how to activate (apply) Radius authentication for
> subscriber management on an MX node?
>
> I have subscribers configured for dynamic access through an external DHCP
> server.
> For some reason, I'm getting the DHCP address without being first
> authenticated on MX through Radius. I'm monitoring my Radius server and no
> requests for authentication are coming in at all.
>
> It looks like the dynamic AAA needs to be applied somewhere but I'm not
> sure
> where. The documentation (subscriber access) mention 'logical-systems'
>  hierarchy but this hierarchy does not exist on Junos 9.2.
>
> Here is my config:
>
> # these are dynamic-profiles that should be active on the access interfaces
> dynamic-profiles {
>    basic-profile {
>        interfaces {
>            "$junos-interface-ifd-name" {
>                unit "$junos-underlying-interface-unit";
>            }
>        }
>    }
> }
>
>
> # these two are the access interfaces
> interfaces {
>    ge-0/0/0 {
>        vlan-tagging;
>        unit 1 {
>            vlan-id 1;
>            family inet {
>                unnumbered-address lo0.0 preferred-source-address 1.1.1.1;
>            }
>        }
>        unit 2 {
>            vlan-id 2;
>            family inet {
>                unnumbered-address lo0.0 preferred-source-address 1.1.1.1;
>            }
>        }
>    }
> # this is dhcp -relay config and this works fine, I'm getting IP address
> assigned
> forwarding-options {
>    dhcp-relay {
>        server-group {
>            test {
>                10.0.0.100;
>            }
>        }
>        group test1 {
>            active-server-group test;
>            interface ge-0/0/0.1;
>            interface ge-0/0/0.2;
>        }
>    }
> }
>
>
> # this is my Radius profile
> access {
>    radius-server {
>        114.0.1.10 secret "$9$4DZGi.PQ/9pTz9pB1rl4aZUk."; ## SECRET-DATA
>    }
>    profile subs {
>        authentication-order radius;
>        radius {
>            authentication-server 114.0.1.10;
>        }
>    }
> }
>
> This is how I think should be applied
> access-profile subs;
>
>
>
>
>
> Thanks,
> Marlon
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>

More information about the juniper-nsp mailing list