[j-nsp] Subscriber service configuration

Sander Steffann sander at steffann.nl
Thu Nov 5 07:01:15 EST 2020


Hi all,

I'm having trouble getting a simple dynamic subscriber service to work.
The use case:

  * Most customers have an unfiltered connection
  * But a subset of customers wants a simple firewall filter applied

Shouldn't be too hard, but I can't get it to work.

Here is what I have done so far:

access {
    radius-server {
        10.100.40.3 {
            secret "blabla"
            routing-instance mgmt_junos;
        }
    }
    profile radius {
        accounting-order radius;
        authentication-order radius;
        radius {
            authentication-server 10.100.40.3;
            accounting-server 10.100.40.3;
            options {
                revert-interval 0;
            }
        }
    }
}
dynamic-profiles {
    vlan-profile {
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    demux-source [ inet inet6 ];
                    proxy-arp;
                    vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                    family inet {
                        unnumbered-address lo0.0;
                    }
                    family inet6 {
                        unnumbered-address lo0.0;
                    }
                }
            }
        }
    }
    basic-profile {
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    demux-options {
                        underlying-interface "$junos-underlying-interface";
                    }
                    family inet {
                        demux-source {
                            $junos-subscriber-ip-address;
                        }
                        unnumbered-address lo0.0;
                    }
                    family inet6 {
                        demux-source {
                            "$junos-subscriber-ipv6-multi-address";
                        }
                        unnumbered-address lo0.0;
                    }
                }
            }
        }
        protocols {
            router-advertisement {
                interface demux0.0 {
                    managed-configuration;
                    solicit-router-advertisement-unicast;
                }
            }
        }
    }
}
interfaces {
    xe-0/1/1 {
        flexible-vlan-tagging;
        auto-configure {
            stacked-vlan-ranges {
                dynamic-profile vlan-profile {
                    accept any;
                    ranges {
                        any,any;
                    }
                }
            }
        }
    }
}
system {
    services {
        dhcp-local-server {
            dhcpv6 {
                group access {
                    overrides {
                        protocol-attributes default;
                        dual-stack access;
                    }
                    interface xe-0/1/1.0;
                }
            }
            group access {
                overrides {
                    protocol-attributes default;
                    dual-stack access;
                }
                interface xe-0/1/1.0;
            }
            dual-stack-group access {
                authentication {
                    password unused;
                    username-include {
                        mac-address;
                    }
                }
                access-profile radius;
                dynamic-profile basic-profile;
                on-demand-address-allocation;
                classification-key {
                    mac-address;
                }
                liveness-detection {
                    failure-action clear-binding;
                    method {
                        layer2-liveness-detection {
                            transmit-interval 300;
                            max-consecutive-retries 3;
                        }
                    }
                }
                reauthenticate lease-renewal;
            }
        }
        subscriber-management {
            enable;
        }
    }
}

So far so good, this works. The radius server returns:

RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x1b (27)
    Length: 46
    Authenticator: blabla
    [This is a response to a request in frame 3]
    [Time from request: 0.001345065 seconds]
    Attribute Value Pairs
        AVP: t=Framed-IP-Address(8) l=6 val=185.83.35.140
            Type: 8
            Length: 6
            Framed-IP-Address: 185.83.35.140
        AVP: t=Delegated-IPv6-Prefix(123) l=20 val=2001:9e7:2000:300::/56
            Type: 123
            Length: 20
            Delegated-IPv6-Prefix: 0038200109e7200003000000000000000000

and the customer gets their addresses through DHCP. All good.

Now I tried to add this bit:

dynamic-profiles {
    demo-filter {                        
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    family inet {
                        filter {
                            input demo-filter-v4;
                        }
                    }
                    family inet6 {
                        filter {
                            input demo-filter-v6;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter demo-filter-v4 {
            interface-shared;
            term capture-http {
                from {
                    protocol [ tcp udp ];
                    destination-port [ http https ];
                }
                then {
                    routing-instance FilterVRF;
                }
            }
            term accept-rest {
                then accept;
            }
        }
    }
    family inet6 {
        filter demo-filter-v6 {
            interface-shared;
            term capture-http {
                from {
                    payload-protocol [ tcp udp ];
                    destination-port [ http https ];
                }
                then {
                    routing-instance FilterVRF;
                }
            }
            term accept-rest {
                then accept;
            }
        }
    }
}

And I try to activate it as a service with this radius reply:

RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x1c (28)
    Length: 66
    Authenticator: blabla
    [This is a response to a request in frame 5]
    [Time from request: 0.003968872 seconds]
    Attribute Value Pairs
        AVP: t=Framed-IP-Address(8) l=6 val=185.83.35.200
            Type: 8
            Length: 6
            Framed-IP-Address: 185.83.35.200
        AVP: t=Delegated-IPv6-Prefix(123) l=20 val=2001:9e7:2000:400::/56
            Type: 123
            Length: 20
            Delegated-IPv6-Prefix: 0038200109e7200004000000000000000000
        AVP: t=Vendor-Specific(26) l=20 vnd=Juniper Networks/Unisphere(4874)
            Type: 26
            Length: 20
            Vendor ID: Juniper Networks/Unisphere (4874)
            VSA: t=Unisphere-Service-Activate(65) l=14 Tag=0x01 val=demo-filter
                Type: 65
                Length: 14
                Tag: 0x01
                Unisphere-Service-Activate: demo-filter

And things stop working… I tried finding the reason in the logs, but the
only things that seem relevant are:

Nov  5 12:48:49.437685 Radius result is CLIENT_REQ_STATUS_SUCCESS
Nov  5 12:48:49.437702 Parsing RADIUS message for session-id:46
Nov  5 12:48:49.437717 radius-access-accept: Framed-IP-Address received: 185.83.35.200
Nov  5 12:48:49.437735 radius-access-accept: Delegated-IPv6-Prefix ignored
Nov  5 12:48:49.437749 radius-access-accept: Activate-Service (Juniper-ERX-VSA) received: Tag (1) demo-filter
Nov  5 12:48:49.437759 Framework - module(radius) return: SUCCESS
Nov  5 12:48:49.437766 authd_advance_module_for_aaa_response_msg: result:2

So radius response seems to arrive ok. I guess the delegated IPv6 prefix
is ignored because this is in response to an IPv4 DHCP request.

It then appears to add the service like it would when receiving a CoA:

Nov  5 12:48:49.438491 createDynamicRequest: (2) received
Nov  5 12:48:49.438526 CoARequest CTOR 0x0x9b4fa6c
Nov  5 12:48:49.438533 createDynamicRequest: isBulkCoaRequest 0
Nov  5 12:48:49.438545 buildAndAddRequest:4872 session-id:46 activate demo-filter
Nov  5 12:48:49.438696 ServiceActivate: request=demo-filter, serviceName=demo-filter, serviceString=demo-filter
Nov  5 12:48:49.438705 buildAndAddRequest:4931 Setting subSessionId 46 and NO serviceSessionId
Nov  5 12:48:49.438713 finishAddRequest:4727
Nov  5 12:48:49.438719 ServiceActivate::validateRequest
Nov  5 12:48:49.438732 Decoding the Dynamic-Service=demo-filter. Request=<demo-filter>
Nov  5 12:48:49.438742 finishAddRequest:4779

But then (verbose):

Nov  5 12:48:49.800804 haveServicesToInstantiate: session-id:46, family: FAMILY_TYPE_INET,  existing dynRequest, services Pending, Auth State AuthClntRespWait
Nov  5 12:48:49.800815 Auth-FSM: reinterpretFsmEvent 12 to 15
Nov  5 12:48:49.800828 AuthFsm::current state=AuthClntRespWait(4) event=15 astEntry=0x9886698 aaa msg=0x994b06c session-id:46
Nov  5 12:48:49.800839 Auth-FSM: Trigger service creations received @ login. session-id:46 dynrequest does exist
Nov  5 12:48:49.800859 Dynamic Service Creation Handler session-id:46
Nov  5 12:48:49.800867 smmServiceCreate::index:0 service:demo-filter marked-as-processed:0
Nov  5 12:48:49.800878 Setting smiFlags=3 in SDB
Nov  5 12:48:49.800924  createServiceSession Subscriber 46 created service 47 accurate-acc 0
Nov  5 12:48:49.801025 persistOnlyPrivateDataWithState:973 session-id:47 with new state -1
Nov  5 12:48:49.801043 smmServiceCreate: Family NOT Set 0
Nov  5 12:48:49.801050 smmServiceCreate::Created :1 services entries
Nov  5 12:48:49.801057 cleanServiceList: numRequests 1
Nov  5 12:48:49.801068 rebuildServiceRequestList: session-id:46 requestedConfigBitsFamilyType 1
Nov  5 12:48:49.801080 rebuildServiceRequestList: FamilyMatch TRUE
Nov  5 12:48:49.801123 ServiceActivate: request=demo-filter, serviceName=demo-filter, serviceString=demo-filter
Nov  5 12:48:49.801134 Found an existing service AST entry session-id:47 for demo-filter
Nov  5 12:48:49.801175 Found an existing service AST entry session-id:47 for demo-filter
Nov  5 12:48:49.801188 persistOnlyPrivateDataWithState:973 session-id:47 with new state -1
Nov  5 12:48:49.801204 Instantiating   dynamic-profile:basic-profile service-session-id:46 subscriber-session-id:46 config-bits:0x00009402 0xf239c0fe
Nov  5 12:48:49.801270 authd_auth_aaa_msg_destroy: removing msg from recv queue
Nov  5 12:48:49.801281 authd_auth_aaa_msg_destruct auth_aaa_msg: 0x994b06c
Nov  5 12:48:49.801294 Auth-FSM: GRES-Mirror for session-id:46 state:AuthServCreateRespWait(7)
Nov  5 12:48:49.801301 doPersistedDataUpdates
Nov  5 12:48:49.801308 persistOnlyPrivateData m_inFlight
Nov  5 12:48:49.844687 smm_response_handle_callback
Nov  5 12:48:49.844714 Ack/Nack from dyn-prof-lib subscriber-session-id:46 session-id:46. result-code:-3, errno = 35, applied_config_bits 0x00009402 0xf239c0fe
Nov  5 12:48:49.844724 No Associated Service
Nov  5 12:48:49.844731 Have Dynamic Request
Nov  5 12:48:49.844739 Subscriber callback received session-id:46
Nov  5 12:48:49.844747 Found an existing service AST entry session-id:47 for demo-filter
Nov  5 12:48:49.844754 Bulked services found in service request entries
Nov  5 12:48:49.844763 Final result code = -3 for service session-id:47
Nov  5 12:48:49.844780 smmHandleDynProfileResponse: DEL Family inet active
Nov  5 12:48:49.844789 SetResponseErrorCause 5
Nov  5 12:48:49.844798 smmSetResponseErrorCause:3386 error_cause 5. No error message set by ESSMD
Nov  5 12:48:49.844805 setDynamicProfileUpdateFailCause: dynamicProfileUpdateResult 5
Nov  5 12:48:49.844812 setDynamicProfileUpdateErrorMsg:6030 dynamicProfileUpdateErrorMsg: 122 Execution failure
Nov  5 12:48:49.844823 SetResponseErrorCause 5 Errormsg 122 Execution failure
Nov  5 12:48:49.844839 ServiceFsm::current state=SvcActivateStart(1) event=6 servAstEntry=0x985f06c service session-id:47
Nov  5 12:48:49.844850 processNackFromPlib:
Nov  5 12:48:49.844857 SMM-FSM: Handle NACK from P-lib for session-id:47

So… "122 Execution failure", "error_cause 5", but no (obvious) clue to
what is wrong…

Any help would be much appreciated, and thanks for reading this wall of
text :)

Cheers!
Sander




More information about the juniper-nsp mailing list