[j-nsp] Subscriber service configuration
Sander Steffann
sander at steffann.nl
Thu Nov 5 07:01:15 EST 2020
Hi all,
I'm having trouble getting a simple dynamic subscriber service to work.
The use case:
* Most customers have an unfiltered connection
* But a subset of customers wants a simple firewall filter applied
Shouldn't be too hard, but I can't get it to work.
Here is what I have done so far:
access {
radius-server {
10.100.40.3 {
secret "blabla"
routing-instance mgmt_junos;
}
}
profile radius {
accounting-order radius;
authentication-order radius;
radius {
authentication-server 10.100.40.3;
accounting-server 10.100.40.3;
options {
revert-interval 0;
}
}
}
}
dynamic-profiles {
vlan-profile {
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
demux-source [ inet inet6 ];
proxy-arp;
vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
family inet {
unnumbered-address lo0.0;
}
family inet6 {
unnumbered-address lo0.0;
}
}
}
}
}
basic-profile {
interfaces {
demux0 {
unit "$junos-interface-unit" {
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet {
demux-source {
$junos-subscriber-ip-address;
}
unnumbered-address lo0.0;
}
family inet6 {
demux-source {
"$junos-subscriber-ipv6-multi-address";
}
unnumbered-address lo0.0;
}
}
}
}
protocols {
router-advertisement {
interface demux0.0 {
managed-configuration;
solicit-router-advertisement-unicast;
}
}
}
}
}
interfaces {
xe-0/1/1 {
flexible-vlan-tagging;
auto-configure {
stacked-vlan-ranges {
dynamic-profile vlan-profile {
accept any;
ranges {
any,any;
}
}
}
}
}
}
system {
services {
dhcp-local-server {
dhcpv6 {
group access {
overrides {
protocol-attributes default;
dual-stack access;
}
interface xe-0/1/1.0;
}
}
group access {
overrides {
protocol-attributes default;
dual-stack access;
}
interface xe-0/1/1.0;
}
dual-stack-group access {
authentication {
password unused;
username-include {
mac-address;
}
}
access-profile radius;
dynamic-profile basic-profile;
on-demand-address-allocation;
classification-key {
mac-address;
}
liveness-detection {
failure-action clear-binding;
method {
layer2-liveness-detection {
transmit-interval 300;
max-consecutive-retries 3;
}
}
}
reauthenticate lease-renewal;
}
}
subscriber-management {
enable;
}
}
}
So far so good, this works. The radius server returns:
RADIUS Protocol
Code: Access-Accept (2)
Packet identifier: 0x1b (27)
Length: 46
Authenticator: blabla
[This is a response to a request in frame 3]
[Time from request: 0.001345065 seconds]
Attribute Value Pairs
AVP: t=Framed-IP-Address(8) l=6 val=185.83.35.140
Type: 8
Length: 6
Framed-IP-Address: 185.83.35.140
AVP: t=Delegated-IPv6-Prefix(123) l=20 val=2001:9e7:2000:300::/56
Type: 123
Length: 20
Delegated-IPv6-Prefix: 0038200109e7200003000000000000000000
and the customer gets their addresses through DHCP. All good.
Now I tried to add this bit:
dynamic-profiles {
demo-filter {
interfaces {
demux0 {
unit "$junos-interface-unit" {
family inet {
filter {
input demo-filter-v4;
}
}
family inet6 {
filter {
input demo-filter-v6;
}
}
}
}
}
}
}
firewall {
family inet {
filter demo-filter-v4 {
interface-shared;
term capture-http {
from {
protocol [ tcp udp ];
destination-port [ http https ];
}
then {
routing-instance FilterVRF;
}
}
term accept-rest {
then accept;
}
}
}
family inet6 {
filter demo-filter-v6 {
interface-shared;
term capture-http {
from {
payload-protocol [ tcp udp ];
destination-port [ http https ];
}
then {
routing-instance FilterVRF;
}
}
term accept-rest {
then accept;
}
}
}
}
And I try to activate it as a service with this radius reply:
RADIUS Protocol
Code: Access-Accept (2)
Packet identifier: 0x1c (28)
Length: 66
Authenticator: blabla
[This is a response to a request in frame 5]
[Time from request: 0.003968872 seconds]
Attribute Value Pairs
AVP: t=Framed-IP-Address(8) l=6 val=185.83.35.200
Type: 8
Length: 6
Framed-IP-Address: 185.83.35.200
AVP: t=Delegated-IPv6-Prefix(123) l=20 val=2001:9e7:2000:400::/56
Type: 123
Length: 20
Delegated-IPv6-Prefix: 0038200109e7200004000000000000000000
AVP: t=Vendor-Specific(26) l=20 vnd=Juniper Networks/Unisphere(4874)
Type: 26
Length: 20
Vendor ID: Juniper Networks/Unisphere (4874)
VSA: t=Unisphere-Service-Activate(65) l=14 Tag=0x01 val=demo-filter
Type: 65
Length: 14
Tag: 0x01
Unisphere-Service-Activate: demo-filter
And things stop working… I tried finding the reason in the logs, but the
only things that seem relevant are:
Nov 5 12:48:49.437685 Radius result is CLIENT_REQ_STATUS_SUCCESS
Nov 5 12:48:49.437702 Parsing RADIUS message for session-id:46
Nov 5 12:48:49.437717 radius-access-accept: Framed-IP-Address received: 185.83.35.200
Nov 5 12:48:49.437735 radius-access-accept: Delegated-IPv6-Prefix ignored
Nov 5 12:48:49.437749 radius-access-accept: Activate-Service (Juniper-ERX-VSA) received: Tag (1) demo-filter
Nov 5 12:48:49.437759 Framework - module(radius) return: SUCCESS
Nov 5 12:48:49.437766 authd_advance_module_for_aaa_response_msg: result:2
So radius response seems to arrive ok. I guess the delegated IPv6 prefix
is ignored because this is in response to an IPv4 DHCP request.
It then appears to add the service like it would when receiving a CoA:
Nov 5 12:48:49.438491 createDynamicRequest: (2) received
Nov 5 12:48:49.438526 CoARequest CTOR 0x0x9b4fa6c
Nov 5 12:48:49.438533 createDynamicRequest: isBulkCoaRequest 0
Nov 5 12:48:49.438545 buildAndAddRequest:4872 session-id:46 activate demo-filter
Nov 5 12:48:49.438696 ServiceActivate: request=demo-filter, serviceName=demo-filter, serviceString=demo-filter
Nov 5 12:48:49.438705 buildAndAddRequest:4931 Setting subSessionId 46 and NO serviceSessionId
Nov 5 12:48:49.438713 finishAddRequest:4727
Nov 5 12:48:49.438719 ServiceActivate::validateRequest
Nov 5 12:48:49.438732 Decoding the Dynamic-Service=demo-filter. Request=<demo-filter>
Nov 5 12:48:49.438742 finishAddRequest:4779
But then (verbose):
Nov 5 12:48:49.800804 haveServicesToInstantiate: session-id:46, family: FAMILY_TYPE_INET, existing dynRequest, services Pending, Auth State AuthClntRespWait
Nov 5 12:48:49.800815 Auth-FSM: reinterpretFsmEvent 12 to 15
Nov 5 12:48:49.800828 AuthFsm::current state=AuthClntRespWait(4) event=15 astEntry=0x9886698 aaa msg=0x994b06c session-id:46
Nov 5 12:48:49.800839 Auth-FSM: Trigger service creations received @ login. session-id:46 dynrequest does exist
Nov 5 12:48:49.800859 Dynamic Service Creation Handler session-id:46
Nov 5 12:48:49.800867 smmServiceCreate::index:0 service:demo-filter marked-as-processed:0
Nov 5 12:48:49.800878 Setting smiFlags=3 in SDB
Nov 5 12:48:49.800924 createServiceSession Subscriber 46 created service 47 accurate-acc 0
Nov 5 12:48:49.801025 persistOnlyPrivateDataWithState:973 session-id:47 with new state -1
Nov 5 12:48:49.801043 smmServiceCreate: Family NOT Set 0
Nov 5 12:48:49.801050 smmServiceCreate::Created :1 services entries
Nov 5 12:48:49.801057 cleanServiceList: numRequests 1
Nov 5 12:48:49.801068 rebuildServiceRequestList: session-id:46 requestedConfigBitsFamilyType 1
Nov 5 12:48:49.801080 rebuildServiceRequestList: FamilyMatch TRUE
Nov 5 12:48:49.801123 ServiceActivate: request=demo-filter, serviceName=demo-filter, serviceString=demo-filter
Nov 5 12:48:49.801134 Found an existing service AST entry session-id:47 for demo-filter
Nov 5 12:48:49.801175 Found an existing service AST entry session-id:47 for demo-filter
Nov 5 12:48:49.801188 persistOnlyPrivateDataWithState:973 session-id:47 with new state -1
Nov 5 12:48:49.801204 Instantiating dynamic-profile:basic-profile service-session-id:46 subscriber-session-id:46 config-bits:0x00009402 0xf239c0fe
Nov 5 12:48:49.801270 authd_auth_aaa_msg_destroy: removing msg from recv queue
Nov 5 12:48:49.801281 authd_auth_aaa_msg_destruct auth_aaa_msg: 0x994b06c
Nov 5 12:48:49.801294 Auth-FSM: GRES-Mirror for session-id:46 state:AuthServCreateRespWait(7)
Nov 5 12:48:49.801301 doPersistedDataUpdates
Nov 5 12:48:49.801308 persistOnlyPrivateData m_inFlight
Nov 5 12:48:49.844687 smm_response_handle_callback
Nov 5 12:48:49.844714 Ack/Nack from dyn-prof-lib subscriber-session-id:46 session-id:46. result-code:-3, errno = 35, applied_config_bits 0x00009402 0xf239c0fe
Nov 5 12:48:49.844724 No Associated Service
Nov 5 12:48:49.844731 Have Dynamic Request
Nov 5 12:48:49.844739 Subscriber callback received session-id:46
Nov 5 12:48:49.844747 Found an existing service AST entry session-id:47 for demo-filter
Nov 5 12:48:49.844754 Bulked services found in service request entries
Nov 5 12:48:49.844763 Final result code = -3 for service session-id:47
Nov 5 12:48:49.844780 smmHandleDynProfileResponse: DEL Family inet active
Nov 5 12:48:49.844789 SetResponseErrorCause 5
Nov 5 12:48:49.844798 smmSetResponseErrorCause:3386 error_cause 5. No error message set by ESSMD
Nov 5 12:48:49.844805 setDynamicProfileUpdateFailCause: dynamicProfileUpdateResult 5
Nov 5 12:48:49.844812 setDynamicProfileUpdateErrorMsg:6030 dynamicProfileUpdateErrorMsg: 122 Execution failure
Nov 5 12:48:49.844823 SetResponseErrorCause 5 Errormsg 122 Execution failure
Nov 5 12:48:49.844839 ServiceFsm::current state=SvcActivateStart(1) event=6 servAstEntry=0x985f06c service session-id:47
Nov 5 12:48:49.844850 processNackFromPlib:
Nov 5 12:48:49.844857 SMM-FSM: Handle NACK from P-lib for session-id:47
So… "122 Execution failure", "error_cause 5", but no (obvious) clue to
what is wrong…
Any help would be much appreciated, and thanks for reading this wall of
text :)
Cheers!
Sander
More information about the juniper-nsp
mailing list