[rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id

Nikolay Abromov nabromov at gmail.com
Thu Aug 5 10:56:28 EDT 2010 

Hi Denis,


It's a pure L2 network from the subscriber port to the SE where I am
using dynamic clips and local DHCP server (the SE itself). I am
identifying each subscriber using relay-agent by adding
circuit-id/remote-id per port on the switch/per subscriber. One of my
ideas was exactly the same to reduce the lease time but I wasn't sure
is that going to force re-authentication so I decided to ask before
try it.

About my second question. Technically it's not a problem to limit the
number of the mac addresses behind each port,however, I cannot do it
because of administrative reasons. So I've been asked to find a way to
limit the number of the IP addresses that the SE is giving and the
only way to identify each subscriber is by the "Remote-ID".

The only available solution I can see for now is the use COA Radius.



it's quite basic configuration as you can see.



 aaa authentication subscriber radius
 aaa accounting subscriber radius attribute-guided
 aaa accounting reauthorization subscriber radius
 aaa update subscriber 10
 aaa reauthorization bulk radius
 radius accounting server Y.Y.172.134 encrypted-key CUT
!
-- CUT --
!
 radius server Y.Y.172.134 encrypted-key CUT
 radius timeout 60
 radius attribute nas-port-id format agent-circuit-id agent-remote-id
 radius server-timeout 60
!
 subscriber default
   dhcp max-addrs 1
!
 ip route 0.0.0.0/0 X.X.24.37
 service ssh
!
 dhcp server policy
   option domain-name-server X.X.172.130 X.X.172.138
   subnet X.X.172.0/25
     range X.X.172.2 X.X.172.99
     option router X.X.172.1


!
end



Redback#show subscribers active
00:21:e8:89:fd:5f
        Agent Remote ID   "00060d61a1e801d"
        Circuit   lg id 25 vlan-id 1029 clips 262156
        Internal Circuit   255/22:1:26/7/2/12
        Interface bound  SUBSCRIBERS
        Current port-limit unlimited
        dhcp max-addrs 1 (applied)
        dhcp vendor class id udhcp 1.2.1 (applied)
        dhcp option client id 0x3d07010021e889fd5f (applied)
          IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
                X.X.172.5    00:21:e8:89:fd:5f
00:24:36:a2:cc:9f
        Agent Remote ID   "00060d61a1e801d"
        Circuit   lg id 25 vlan-id 1029 clips 262159
        Internal Circuit   255/22:1:26/7/2/15
        Interface bound  SUBSCRIBERS
        Current port-limit unlimited
        dhcp max-addrs 1 (applied)
        dhcp option client id 0x3d0701002436a2cc9f (applied)
        dhcp option hostname
0x0c1b4961696e2d44756e736d6f7265732d54696d652d43617073756c65 (applied)
          IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
                X.X.172.8    00:24:36:a2:cc:9f




Thank you in advance



On Thu, Aug 5, 2010 at 2:34 PM, Denis Mikhaylovskiy
<denis.mikhaylovskiy at ericsson.com> wrote:
> Hi Nikolay
>
> I assume you are using dynamic clips?
> In which mode SE is? DHCP Proxy? Please provide more details.
> Answering on your first question, in common case you can control this by reducing lease time, let's say to 30 min.
>
> But answer on second question depends on your details again. You say customer = circuit-id/agent-remote-id. Does it mean you have several MACs per access port on your switch? Which network you have L2 or L3 between access switches and SE?
>
>
> /denis
>
> -----Original Message-----
> From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Nikolay Abromov
> Sent: Wednesday, August 04, 2010 7:32 PM
> To: redback-nsp at puck.nether.net
> Subject: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
>
> Hello Group,
>
> I have the following questions.
>
> I am using radius to authenticate my subscribers and if a client has
> been authenticated once and he/she went offline for couple of ours and
> came back online the SmartEdge reply behalf of the radius server
> without notifying the radius.I would like to change this behavior and
> force the SE to send re-authentication request every 30min.
>
> Another thing I'd like to achieve is the set maximum number of the
> subscribers behind a single agent-circuit-id and/or agent-remote-id. I
> know how to do it via the radius configurations but I've been asked
> can be done with static configurations. With DHCP MAX-ADDR I can limit
> the number of the IP addresses given per single MAC address but not
> per customer (customer == circuit-id/agent-remote-id).
>
>
> SEOS Version:  6.1.5.4p3-Release
>
> Thank you in advance
>
>
> --
> Nikolay Abromov
> Network Engineer
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>



-- 
Nikolay Abromov
Mobile +44 (0) 7929408688

More information about the redback-nsp mailing list