[j-nsp] Radius - Static IP / ERX

Paul Stewart paul at paulstewart.org
Mon Aug 15 15:19:08 EDT 2011


Thanks Gabe... nice to hear from you...

The test aaa command shows successful user connection but is always giving a
dynamic IP address each time.  I can post the output if it's helpful..

I did test it against our really old Cistron Radius deployment and it has
the same effect - going to try that other suggestion regarding defining the
local interface (tomorrow when back in office).

Take care,

Paul


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Gabriel Blanchard
Sent: Monday, August 15, 2011 1:48 PM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Radius - Static IP / ERX

We have a very similar setup (for some obvious reason) and it works just 
fine. We use Framed-IP-Address. No other attributes are required.

What I suggest is that you try the "test aaa" command in the ERX and try 
to test the login that way from the console and see what's going on.

-Gabe

On 08/15/2011 11:25 AM, Paul Stewart wrote:
> Thanks very much.. I appreciate the input from the list.
>
>
>
> The profile looks like this currently:
>
>
>
> profile test
>
> ip virtual-router default
>
> ip unnumbered loopback 0
>
> ip mtu 1492
>
> ip sa-validate
>
> ip tcp adjust-mss 1460
>
> ppp authentication virtual-router default pap
>
> ppp keepalive 120
>
> ppp fragmentation
>
> ppp reassembly
>
> vlan auto-configure pppoe
>
>
>
> Is there anything "obvious" wrong with this?  I read in the docs somewhere
> about an option to explicitly permit Radius to assign a subnet to a
customer
> - is there a similar statement required to statically assign a single host
> address (bearing in mind that dynamic addresses are coming from a local
> pool)
>
>
>
> Would the ERX-Local-Interface be the Loopback0 interface in my case?  It
has
> an IP address assigned to it that is reachable etc.
>
>
>
> Thanks,
>
>
>
> Paul
>
>
>
>
>
> From: Chris Hellberg [mailto:chris at chrishellberg.com]
> Sent: Saturday, August 13, 2011 8:56 AM
> To: Paul Stewart; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Radius - Static IP / ERX
>
>
>
> It might be because you don't have an ERX-Local-Interface VSA present. If
> that doesn't work, double-check that it's in your profile. There're one or
> two unexpected cases that you need to have the unumbered loopback
interface
> information explicitly configured. The framed netmask shouldn't be needed.
>
>
>
> Regards,
>
>
>
> Chris
>
>
>
>
>    _____
>
>
> From: Paul Stewart<paul at paulstewart.org>
> To: juniper-nsp at puck.nether.net
> Sent: Friday, 12 August 2011, 1:35
> Subject: Re: [j-nsp] Radius - Static IP / ERX
>
> Thanks.. yeah the MTU statement is legacy and in place for some other
Radius
> authentications....;)
>
> I thought our entries had the Framed-IP-Netmask in them so will have to
> check again as you're right it's not there obviously...  wouldn't think
that
> would stop the IP from getting assigned but could be wrong...
>
> Take care,
>
> Paul
>
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams
> Sent: August-11-11 2:26 PM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Radius - Static IP / ERX
>
> Once upon a time, Paul Stewart<paul at paulstewart.org>  said:
>> Getting ready to cut an ERX into production shortly and the only thing
not
>> working is static IP assignments via Radius.  According to the docs, you
> can
>> use "Framed-IP-Address" the same as we do in Cisco land today.. but it
>> doesn't' work.
> Your example entry doesn't have a Framed-IP-Netmask set, which may be
> required.
>
> Also, Framed-MTU is pretty much useless; since PPP is already negotiated
> before RADIUS authentication occurs, link MTU is already established
> before your Framed-MTU entry can have any affect (this has always been
> the case with PPP+RADIUS, but lots of examples show Framed-MTU anyway).
>

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list