[j-nsp] FreeRadius/ERX Question

Paul Stewart paul at paulstewart.org
Thu Oct 20 14:43:25 EDT 2011


Thanks Gabe - really appreciate the feedback.  I have been trying to avoid the service management license :)  It definitely has a number of cool features though...

I have to question the cost of the service manager license into a platform that has 5 years or less left in it although it's really not expensive, it's just the point of it ;)

Take care,

Paul


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Gabriel Blanchard
Sent: Thursday, October 20, 2011 2:33 PM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] FreeRadius/ERX Question

I would use the service manager. I've run into the same issue and i've never managed to make it work using the ingress/egress filters.

You can do some really cool things with it, such as adjusting a single pppoe session on the fly (without having the user disconnect) using radius initiated change of authorizations.

http://www.juniper.net/techpubs/software/erx/junose60/swconfig-broadband/html/radius-dynamic-request7.html

You can also redirect the user to a web page, again on the fly..say they go over there usage limit

Here's a few examples

http://www.juniper.net/techpubs/en_US/junose9.3/information-products/topic-collections/broadband-access/service-definition-examples.html

Only thing is, you will need the service management license.

Gabriel Blanchard
Director, Information Technology
TekSavvy Solutions


On 11-10-20 01:40 PM, Paul Stewart wrote:
> Thanks for that...  this is quite lengthy below, apologies for it being so long.
>
> When I say "doesn’t work" this is what I have to share below.  Juniper is telling me that I should see the policy attached to the interface itself (which seems strange to me given that it's on a per subscriber basis).  When I get connected I have no problems doing 100Mbs for sustained periods of time.
>
> Appreciate it,
>
> Paul
>
>
> FreeRadius Configuration:
>
> pstewart        Auth-Type = System
>          Service-Type = Framed-User,
>          Framed-IP-Address = xx.xxx.58.253,
>          Framed-MTU = 1500,
>          ERX-Ingress-Policy-Name = lite,
>          ERX-Egress-Policy-Name = lite
>
> Debug output:
>
> DEBUG 10/06/2011 13:56:46 radiusClient: buildAuthRequest: building 
> User Auth Request DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ACCESS-REQUEST attributes (default)
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      username attr added: pstewart at nexicom.net
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-session-id attr added: 0003145754
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      user-password attr added:<value withheld>
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      service-type attr added: 2
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-protocol attr added: 1
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      pppoe-description (vsa) attr added: pppoe 00:22:19:f9:f1:b3
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      calling-station-id attr added: #acc1.millbrook1#E14#80
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port-type attr added: 15
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port attr added: 335544400
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port-id attr added: GigabitEthernet 1/4.80:80
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-ip-address attr added: 76.75.100.74
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-identifier attr added: acc1.millbrook1
> DEBUG 10/06/2011 13:56:46 radiusClient: sendPacket: RADIUS Access 
> packet sent (default) DEBUG 10/06/2011 13:56:46 radiusClient: processGoodAuthResponse enter:
> DEBUG 10/06/2011 13:56:46 radiusAttributes: USER ATTRIBUTES: (pstewart at nexicom.net)
> DEBUG 10/06/2011 13:56:46 radiusAttributes:      service type attr: 2
> DEBUG 10/06/2011 13:56:46 radiusAttributes: total eap message attr length = 0
> DEBUG 10/06/2011 13:56:46 radiusAttributes:      framed IP address attr: xx.xxx.58.253
> DEBUG 10/06/2011 13:56:46 radiusAttributes:      ingress policy name (vsa) attr: lite
> DEBUG 10/06/2011 13:56:46 radiusAttributes:      egress policy name (vsa) attr: lite
> DEBUG 10/06/2011 13:56:46 radiusAttributes: 
> getStandardTunnelAttributes: No tunnel type attributes found - 
> skipping all other attributes INFO 10/06/2011 13:56:46 aaaUserAccess: 
> User: pstewart at nexicom.net; id: GigabitEthernet 1/4.80:80, access 
> granted NOTICE 10/06/2011 13:56:46 ppp (interface GigabitEthernet1/4.80.1): Authenticate grant - requestId = 14, sessionId = 3145754, message = DEBUG 10/06/2011 13:56:46 radiusClient: buildAcctRequest: building User Acct Request DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ACCOUNTING-REQUEST attributes (default)
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-status-type attr added: 1
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      username attr added: pstewart at nexicom.net
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      event-timestamp attr added: 1317909406
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-delay-time attr added: 0
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-identifier attr added: acc1.millbrook1
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-session-id attr added: 0003145754
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-ip-address attr added: xx.xx.100.74
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      service-type attr added: 2
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-protocol attr added: 1
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-compression attr added: 0
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      pppoe-description (vsa) attr added: pppoe 00:22:19:f9:f1:b3
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-ip-address attr added: xx.xxx.58.253
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      framed-ip-netmask attr added: 255.255.255.255
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      ingress-policy-name (vsa) attr added: lite
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      egress-policy-name (vsa) attr added: lite
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      calling-station-id attr added: #acc1.millbrook1#E14#80
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port-type attr added: 15
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port attr added: 335544400
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      nas-port-id attr added: GigabitEthernet 1/4.80:80
> DEBUG 10/06/2011 13:56:46 radiusSendAttributes:      acct-authentic attr added: 1
> DEBUG 10/06/2011 13:56:46 radiusClient: buildAcctRequest: returning 
> success DEBUG 10/06/2011 13:56:46 radiusClient: sendPacket: RADIUS 
> Acct packet sent (default) INFO 10/06/2011 13:56:46 ppp: Downstream 
> buffer sent on slot 1 INFO 10/06/2011 13:56:46 ppp: Downstream buffer 
> sent on slot 1 INFO 10/06/2011 13:56:46 ppp: Upstream buffer received 
> on slot 1 INFO 10/06/2011 13:56:47 ppp: Downstream buffer sent on slot 
> 1 INFO 10/06/2011 13:56:47 ppp: Downstream buffer sent on slot 1
>
> acc1.millbrook1#show subscribers
>                               Subscriber List
>                               ---------------
>                                                              Virtual
>         User Name           Type         Addr|Endpt           Router
> ------------------------   -----   --------------------   ------------
> pstewart at nexicom.net       ppp     xx.xxx.58.253/radius   default
>         User Name                      Interface
> ------------------------   --------------------------------
> pstewart at nexicom.net       GigabitEthernet 1/4.80:80
>         User Name               Login Time           Circuit Id
> ------------------------   -------------------   ----------------
> pstewart at nexicom.net       11/10/06 09:56:46
>         User Name              Remote Id
> ------------------------   ----------------
> pstewart at nexicom.net
>
>
> acc1.millbrook1#show ip route xx.xxx.58.253 Protocol/Route type codes:
>    I1- ISIS level 1, I2- ISIS level2,
>    I- route type intra, IA- route type inter, E- route type external,
>    i- metric type internal, e- metric type external,
>    P- periodic download, O- OSPF, E1- external type 1, E2- external type2,
>    N1- NSSA external type1, N2- NSSA external type2
>    L- MPLS label, V- VRF, *- via indirect next-hop
>
>    Prefix/Length      Type       Next Hop      Dst/Met          Interface
> ------------------ --------- --------------- ---------- -----------------------
> xx.xxx.58.253/32   AccIntern 0.0.0.0         2/0        GigabitEthernet1/4.80.1
>
>
> acc1.millbrook1#show classifier-list
>
>                           Classifier Control List Table
>                           ---------- ------- ---- ----- IP lite.1 ip 
> any any
>
>
> acc1.millbrook1#show rate-limit-profile lite
>
>                              Rate Limit Profile Table
>                              ---- ----- ------- ----- IP 
> Rate-Limit-Profile: lite
>     Profile Type:                   one-rate
>     Reference count:                1
>     Committed rate:                 128000
>     Committed burst:                50 milliseconds
>     Excess burst:                   100 milliseconds
>     Mask:                           255
>    Committed rate action:          transmit
>     Conformed rate action:          transmit
>     Exceeded rate action:           drop
>
>
>
> acc1.millbrook1#show policy-list lite
>
>                                    Policy Table
>                                    ------ ----- IP Policy lite
>     Administrative state: enable
>     Reference count:      0
>     Classifier control list: lite, precedence 100
>        rate-limit-profile lite
>        forward
>
>
> acc1.millbrook1#show ip interface gigabitEthernet1/4.80.1
> GigabitEthernet1/4.80.1 line protocol Ppp is up, ip is up
>    Network Protocols: IP
>    Unnumbered Interface on loopback0
>    ( IP address  xx.xx.100.74 )
>    Operational MTU = 1380  Administrative MTU = 0
>    Operational speed = 1000000000  Administrative speed = 0
>    Discontinuity Time = 219518
>    Router advertisement = disabled
>    Proxy Arp = disabled
>    ARP spoof checking = enabled
>    Network Address Translation is disabled
>    TCP MSS Adjustment = disabled
>    Administrative debounce-time = disabled
>    Operational debounce-time    = disabled
>    Access routing = enabled: Using xx.xxx.58.253
>    Multipath mode = hashed
>    Auto Configure = disabled
>    Auto Detect = disabled
>    Re-Authenticate Auto Detect = disabled
>    Append virtual-router name with DSI = disabled
>    Inactivity Timer = disabled
>    Use Framed Routes = disabled
>    Warm-restart initial-sequence-preference: Operational = 0 Administrative = 0
>
>    In Received Packets 261076, Bytes 234486612
>      Unicast Packets 259711, Bytes 234346269
>      Multicast Packets 1365, Bytes 140343
>    In Policed Packets 0, Bytes 0
>    In Error Packets 0
>    In Invalid Source Address Packets 0
>    In Discarded Packets 718
>    Out Forwarded Packets 262368, Bytes 242535813
>      Unicast Packets 262368, Bytes 242535813
>      Multicast Routed Packets 0, Bytes 0
>    Out Scheduler Dropped Packets 0, Bytes 0
>    Out Policed Packets 0, Bytes 0
>    Out Discarded Packets 1
>
>    queue 0: traffic class best-effort, bound to ip GigabitEthernet1/4.80.1
>      Queue length 0 bytes
>      Forwarded packets 262368, bytes 250406865
>      Dropped committed packets 0, bytes 0
>      Dropped conformed packets 0, bytes 0
>      Dropped exceeded packets 0, bytes 0
>
> -----Original Message-----
> From: Bjørn Mork [mailto:bjorn at mork.no]
> Sent: Thursday, October 20, 2011 1:24 PM
> To: Paul Stewart
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] FreeRadius/ERX Question
>
> "Paul Stewart"<paul at paulstewart.org>  writes:
>
>> We are trying to get a "lite profile" working on ERX platform for
>> PPPOE clients.  This would restrict their download/upload speeds on a
>> per user basis via Radius attributes.
>>
>>
>>
>> I have a ticket running at JTAC now for a long time on this - they
>> have now come back and told me I must run Unisphere attributes instead
>> of ERX attributes from Radius.  We are using FreeRadius FYI.
> They are probably referring to their official Steel-Belted Radius dictionary, which names the attributes like that.  See e.g
>    http://www.juniper.net/techpubs/software/junos/junos112/radius-dictionary/unisphereDictionary_for_JUNOS_v11-2.dct
>
> (for some reason the JUNOSe dictionary links now requires login while the one JUNOS dictionaries still can be downloaded by anyone, including the above "vendorid 4874" one, which applies to both the ERX and the MX subscriber platform.  Strange).
>
>> Am I doing something wrong here?  I checked and all the dictionary
>> files appear to be intact including those attributes . seems like a
>> FreeRadius issue possibly.
> The default FreeRADIUS dictionary use the "ERX" prefix everywhere, regardless of whether Juniper uses "Unisphere", "ERX" or the recent "Jnpr" prefix.  I am not sure which solution is least confusing.  But I do not fancy having a mix of vendor prefixes in the same vendor specific dictionary. And Terje started the show by changing the "Unisphere" names to "ERX" int the first place. So when I recently sent an update to FreeRADIUS for the attributes added in JUNOS 11.2, I chose to continue using the ERX prefix despite Juniper using "Jnpr".
>
> Anyway, if in doubt, check the actual attribute numbers.
>
>> Anyone else doing something similar?  Are you using these attributes?
>> When we use ERX-Ingress-Policy-Name we can see the policy appearing on
>> a debug with the ERX box but it doesn't work.
> ERX-Ingress-Policy-Name is correct.
>
> Define "doesn't work".  It is supposed to work.
>
>
> Bjørn
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list