[j-nsp] Subscriber Management with RADIUS authentication question

Alex D. listensammler at gmx.de
Thu Dec 21 08:03:38 EST 2017


Hi,

i have a running Subscriber Management setup in my testlab with Juniper MX5 running JUNOS15.1R6.7. MX is functioning as DHCP proxy and forwards all DHCP requests to an external DHCP server after successful authentication against a RADIUS server based on DHCP Option 82 remote-id. RADIUS server send Juniper VSA #1 (Virtual-Router) to put different subscribers in service-specific VRFs.
This works fine so far....

Let's come to my problem now:
I change an user profile on my RADIUS server, e.g. adjust the respective RADIUS attribute to map him into another VRF. After that, I reset the particular DSL port so that his CPE resynchronize and send a new DHCP request. Unexpectedly, MX5 doesn't send a new authentication request to the RADIUS server but relays the DHCP request to the DHCP server only. So that I don't get the previously updated RADIUS attributes. I have to mention, that the Juniper box doesn't "know" that I forced the subscriber CPE to resynchronize and therefore the subscriber is still listed in the output of "show subscribers".

On the other hand, when I do a "clear dhcp relay binding routing-instance VRF_XYZ all" before resynchronize a customer CPE, the MX5 sends a RADIUS authentication request again after receiving the DHCP discover from the client.

Because of this behavior, it seems that my MX5 does some "caching" and doesn't send subsequent requests to the RADIUS server as long as there is a dhcp relay binding. Does anybody knows this problem and is there a configuration option to "fix" it ?

Regards,
Alex



More information about the juniper-nsp mailing list