[j-nsp] FreeRadius/ERX Question

Paul Stewart paul at paulstewart.org
Thu Oct 20 13:40:38 EDT 2011 

Thanks for that...  this is quite lengthy below, apologies for it being so long.

When I say "doesn’t work" this is what I have to share below.  Juniper is telling me that I should see the policy attached to the interface itself (which seems strange to me given that it's on a per subscriber basis).  When I get connected I have no problems doing 100Mbs for sustained periods of time.

Appreciate it,

Paul


FreeRadius Configuration:

pstewart        Auth-Type = System
        Service-Type = Framed-User,
        Framed-IP-Address = xx.xxx.58.253,
        Framed-MTU = 1500,
        ERX-Ingress-Policy-Name = lite,
        ERX-Egress-Policy-Name = lite

Debug output:

DEBUG 10/06/2011 13:56:46 radiusClient: buildAuthRequest: building User Auth Request
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ACCESS-REQUEST attributes (default)
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      username attr added: pstewart at nexicom.net
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-session-id attr added: 0003145754
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      user-password attr added: <value withheld>
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      service-type attr added: 2
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-protocol attr added: 1
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      pppoe-description (vsa) attr added: pppoe 00:22:19:f9:f1:b3
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      calling-station-id attr added: #acc1.millbrook1#E14#80
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port-type attr added: 15
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port attr added: 335544400
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port-id attr added: GigabitEthernet 1/4.80:80
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-ip-address attr added: 76.75.100.74
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-identifier attr added: acc1.millbrook1
DEBUG 10/06/2011 13:56:46 radiusClient: sendPacket: RADIUS Access packet sent (default)
DEBUG 10/06/2011 13:56:46 radiusClient: processGoodAuthResponse enter:
DEBUG 10/06/2011 13:56:46 radiusAttributes: USER ATTRIBUTES: (pstewart at nexicom.net)
DEBUG 10/06/2011 13:56:46 radiusAttributes:      service type attr: 2
DEBUG 10/06/2011 13:56:46 radiusAttributes: total eap message attr length = 0
DEBUG 10/06/2011 13:56:46 radiusAttributes:      framed IP address attr: xx.xxx.58.253
DEBUG 10/06/2011 13:56:46 radiusAttributes:      ingress policy name (vsa) attr: lite
DEBUG 10/06/2011 13:56:46 radiusAttributes:      egress policy name (vsa) attr: lite
DEBUG 10/06/2011 13:56:46 radiusAttributes: getStandardTunnelAttributes: No tunnel type attributes found - skipping all other attributes
INFO 10/06/2011 13:56:46 aaaUserAccess: User: pstewart at nexicom.net; id: GigabitEthernet 1/4.80:80, access granted
NOTICE 10/06/2011 13:56:46 ppp (interface GigabitEthernet1/4.80.1): Authenticate grant - requestId = 14, sessionId = 3145754, message =
DEBUG 10/06/2011 13:56:46 radiusClient: buildAcctRequest: building User Acct Request
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ACCOUNTING-REQUEST attributes (default)
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-status-type attr added: 1
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      username attr added: pstewart at nexicom.net
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      event-timestamp attr added: 1317909406
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-delay-time attr added: 0
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-identifier attr added: acc1.millbrook1
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-session-id attr added: 0003145754
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-ip-address attr added: xx.xx.100.74
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      service-type attr added: 2
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-protocol attr added: 1
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-compression attr added: 0
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      pppoe-description (vsa) attr added: pppoe 00:22:19:f9:f1:b3
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-ip-address attr added: xx.xxx.58.253
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-ip-netmask attr added: 255.255.255.255
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      ingress-policy-name (vsa) attr added: lite
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      egress-policy-name (vsa) attr added: lite
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      calling-station-id attr added: #acc1.millbrook1#E14#80
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port-type attr added: 15
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port attr added: 335544400
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port-id attr added: GigabitEthernet 1/4.80:80
DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-authentic attr added: 1
DEBUG 10/06/2011 13:56:46 radiusClient: buildAcctRequest: returning success
DEBUG 10/06/2011 13:56:46 radiusClient: sendPacket: RADIUS Acct packet sent (default)
INFO 10/06/2011 13:56:46 ppp: Downstream buffer sent on slot 1
INFO 10/06/2011 13:56:46 ppp: Downstream buffer sent on slot 1
INFO 10/06/2011 13:56:46 ppp: Upstream buffer received on slot 1
INFO 10/06/2011 13:56:47 ppp: Downstream buffer sent on slot 1
INFO 10/06/2011 13:56:47 ppp: Downstream buffer sent on slot 1

acc1.millbrook1#show subscribers
                             Subscriber List
                             ---------------
                                                            Virtual
       User Name           Type         Addr|Endpt           Router
------------------------   -----   --------------------   ------------
pstewart at nexicom.net       ppp     xx.xxx.58.253/radius   default
       User Name                      Interface
------------------------   --------------------------------
pstewart at nexicom.net       GigabitEthernet 1/4.80:80
       User Name               Login Time           Circuit Id
------------------------   -------------------   ----------------
pstewart at nexicom.net       11/10/06 09:56:46
       User Name              Remote Id
------------------------   ----------------
pstewart at nexicom.net


acc1.millbrook1#show ip route xx.xxx.58.253
Protocol/Route type codes:
  I1- ISIS level 1, I2- ISIS level2,
  I- route type intra, IA- route type inter, E- route type external,
  i- metric type internal, e- metric type external,
  P- periodic download, O- OSPF, E1- external type 1, E2- external type2,
  N1- NSSA external type1, N2- NSSA external type2
  L- MPLS label, V- VRF, *- via indirect next-hop

  Prefix/Length      Type       Next Hop      Dst/Met          Interface
------------------ --------- --------------- ---------- -----------------------
xx.xxx.58.253/32   AccIntern 0.0.0.0         2/0        GigabitEthernet1/4.80.1


acc1.millbrook1#show classifier-list

                         Classifier Control List Table
                         ---------- ------- ---- -----
IP lite.1 ip any any


acc1.millbrook1#show rate-limit-profile lite

                            Rate Limit Profile Table
                            ---- ----- ------- -----
IP Rate-Limit-Profile: lite
   Profile Type:                   one-rate
   Reference count:                1
   Committed rate:                 128000
   Committed burst:                50 milliseconds
   Excess burst:                   100 milliseconds
   Mask:                           255
  Committed rate action:          transmit
   Conformed rate action:          transmit
   Exceeded rate action:           drop



acc1.millbrook1#show policy-list lite

                                  Policy Table
                                  ------ -----
IP Policy lite
   Administrative state: enable
   Reference count:      0
   Classifier control list: lite, precedence 100
      rate-limit-profile lite
      forward


acc1.millbrook1#show ip interface gigabitEthernet1/4.80.1
GigabitEthernet1/4.80.1 line protocol Ppp is up, ip is up
  Network Protocols: IP
  Unnumbered Interface on loopback0
  ( IP address  xx.xx.100.74 )
  Operational MTU = 1380  Administrative MTU = 0
  Operational speed = 1000000000  Administrative speed = 0
  Discontinuity Time = 219518
  Router advertisement = disabled
  Proxy Arp = disabled
  ARP spoof checking = enabled
  Network Address Translation is disabled
  TCP MSS Adjustment = disabled
  Administrative debounce-time = disabled
  Operational debounce-time    = disabled
  Access routing = enabled: Using xx.xxx.58.253
  Multipath mode = hashed
  Auto Configure = disabled
  Auto Detect = disabled
  Re-Authenticate Auto Detect = disabled
  Append virtual-router name with DSI = disabled
  Inactivity Timer = disabled
  Use Framed Routes = disabled
  Warm-restart initial-sequence-preference: Operational = 0 Administrative = 0

  In Received Packets 261076, Bytes 234486612
    Unicast Packets 259711, Bytes 234346269
    Multicast Packets 1365, Bytes 140343
  In Policed Packets 0, Bytes 0
  In Error Packets 0
  In Invalid Source Address Packets 0
  In Discarded Packets 718
  Out Forwarded Packets 262368, Bytes 242535813
    Unicast Packets 262368, Bytes 242535813
    Multicast Routed Packets 0, Bytes 0
  Out Scheduler Dropped Packets 0, Bytes 0
  Out Policed Packets 0, Bytes 0
  Out Discarded Packets 1

  queue 0: traffic class best-effort, bound to ip GigabitEthernet1/4.80.1
    Queue length 0 bytes
    Forwarded packets 262368, bytes 250406865
    Dropped committed packets 0, bytes 0
    Dropped conformed packets 0, bytes 0
    Dropped exceeded packets 0, bytes 0

-----Original Message-----
From: Bjørn Mork [mailto:bjorn at mork.no] 
Sent: Thursday, October 20, 2011 1:24 PM
To: Paul Stewart
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] FreeRadius/ERX Question

"Paul Stewart" <paul at paulstewart.org> writes:

> We are trying to get a "lite profile" working on ERX platform for 
> PPPOE clients.  This would restrict their download/upload speeds on a 
> per user basis via Radius attributes.
>
>  
>
> I have a ticket running at JTAC now for a long time on this - they 
> have now come back and told me I must run Unisphere attributes instead 
> of ERX attributes from Radius.  We are using FreeRadius FYI.

They are probably referring to their official Steel-Belted Radius dictionary, which names the attributes like that.  See e.g
  http://www.juniper.net/techpubs/software/junos/junos112/radius-dictionary/unisphereDictionary_for_JUNOS_v11-2.dct

(for some reason the JUNOSe dictionary links now requires login while the one JUNOS dictionaries still can be downloaded by anyone, including the above "vendorid 4874" one, which applies to both the ERX and the MX subscriber platform.  Strange).

> Am I doing something wrong here?  I checked and all the dictionary 
> files appear to be intact including those attributes . seems like a 
> FreeRadius issue possibly.

The default FreeRADIUS dictionary use the "ERX" prefix everywhere, regardless of whether Juniper uses "Unisphere", "ERX" or the recent "Jnpr" prefix.  I am not sure which solution is least confusing.  But I do not fancy having a mix of vendor prefixes in the same vendor specific dictionary. And Terje started the show by changing the "Unisphere" names to "ERX" int the first place. So when I recently sent an update to FreeRADIUS for the attributes added in JUNOS 11.2, I chose to continue using the ERX prefix despite Juniper using "Jnpr".

Anyway, if in doubt, check the actual attribute numbers. 

> Anyone else doing something similar?  Are you using these attributes?  
> When we use ERX-Ingress-Policy-Name we can see the policy appearing on 
> a debug with the ERX box but it doesn't work.

ERX-Ingress-Policy-Name is correct.

Define "doesn't work".  It is supposed to work.  


Bjørn

More information about the juniper-nsp mailing list