[j-nsp] Radius - Static IP / ERX

Bjørn Mork bjorn at mork.no
Fri Aug 12 04:33:55 EDT 2011 

Chris Adams <cmadams at hiwaay.net> writes:
> Once upon a time, Paul Stewart <paul at paulstewart.org> said:
>> Getting ready to cut an ERX into production shortly and the only thing not
>> working is static IP assignments via Radius.  According to the docs, you can
>> use "Framed-IP-Address" the same as we do in Cisco land today.. but it
>> doesn't' work.
>
> Your example entry doesn't have a Framed-IP-Netmask set, which may be
> required.

No, it's not if yoy want it to be /32.  I just verified on a E320
running JUNOSe 10.1.2, and setting Framed-IP-Address does work as
expected there.  Using the following FreeRADIUS account:


 foo  Cleartext-Password := bar
       Framed-IP-Address := 192.168.5.5



I get:


e320#show subscribers username foo
                                                                                  Subscriber List                                                                                  
                                                                                  ---------------                                                                                  
                                                                   Virtual                                                                                                         
           User Name              Type         Addr|Endpt           Router                     Interface                      Login Time           Circuit Id         Remote Id    
-------------------------------   -----   --------------------   ------------   ---------------------------------------   -------------------   ----------------   ----------------
foo                               ppp     192.168.5.5/radius     default        GigabitEthernet 3/1/3.9:9                 11/08/12 10:24:10                                        


e320#sh ip route 192.168.5.5
Protocol/Route type codes:
  I1- ISIS level 1, I2- ISIS level2,
  I- route type intra, IA- route type inter, E- route type external,
  i- metric type internal, e- metric type external,
  P- periodic download, O- OSPF, E1- external type 1, E2- external type2,
  N1- NSSA external type1, N2- NSSA external type2
  L- MPLS label, V- VRF, *- via indirect next-hop

  Prefix/Length      Type       Next Hop      Dst/Met                  Interface                
------------------ --------- --------------- ---------- ----------------------------------------
192.168.5.5/32     AccIntern 0.0.0.0         2/0        GigabitEthernet3/1/3.9.12               



You could turn on a bit of debugging.  The "test aaa" command is also
useful for eliminating the obvious.  E.g. something like this (which is
very easy to hit during testing of static IP accounts):

e320#test aaa ppp foo bar
Authentication Deny
    reason = Address assignment failure
    reply msg: duplicate address detected




Bjørn

More information about the juniper-nsp mailing list