[rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id

Denis Mikhaylovskiy denis.mikhaylovskiy at ericsson.com
Thu Aug 5 11:21:01 EDT 2010 

Nikolay,

Regarding second question. SE doesn't 'understand' agent-id. SE transparently transmits it to the RADIUS or external DHCP server and relays on their intelligence.
Or if you can put each access port into isolated VLAN, then you can limit the number of clips sessions at the pvc level on SE.


Cheers,
/denis

-----Original Message-----
From: Nikolay Abromov [mailto:nabromov at gmail.com] 
Sent: Thursday, August 05, 2010 6:56 PM
To: Denis Mikhaylovskiy
Cc: redback-nsp at puck.nether.net
Subject: Re: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id

Hi Denis,


It's a pure L2 network from the subscriber port to the SE where I am
using dynamic clips and local DHCP server (the SE itself). I am
identifying each subscriber using relay-agent by adding
circuit-id/remote-id per port on the switch/per subscriber. One of my
ideas was exactly the same to reduce the lease time but I wasn't sure
is that going to force re-authentication so I decided to ask before
try it.

About my second question. Technically it's not a problem to limit the
number of the mac addresses behind each port,however, I cannot do it
because of administrative reasons. So I've been asked to find a way to
limit the number of the IP addresses that the SE is giving and the
only way to identify each subscriber is by the "Remote-ID".

The only available solution I can see for now is the use COA Radius.



it's quite basic configuration as you can see.



 aaa authentication subscriber radius
 aaa accounting subscriber radius attribute-guided
 aaa accounting reauthorization subscriber radius
 aaa update subscriber 10
 aaa reauthorization bulk radius
 radius accounting server Y.Y.172.134 encrypted-key CUT
!
-- CUT --
!
 radius server Y.Y.172.134 encrypted-key CUT
 radius timeout 60
 radius attribute nas-port-id format agent-circuit-id agent-remote-id
 radius server-timeout 60
!
 subscriber default
   dhcp max-addrs 1
!
 ip route 0.0.0.0/0 X.X.24.37
 service ssh
!
 dhcp server policy
   option domain-name-server X.X.172.130 X.X.172.138
   subnet X.X.172.0/25
     range X.X.172.2 X.X.172.99
     option router X.X.172.1


!
end



Redback#show subscribers active
00:21:e8:89:fd:5f
        Agent Remote ID   "00060d61a1e801d"
        Circuit   lg id 25 vlan-id 1029 clips 262156
        Internal Circuit   255/22:1:26/7/2/12
        Interface bound  SUBSCRIBERS
        Current port-limit unlimited
        dhcp max-addrs 1 (applied)
        dhcp vendor class id udhcp 1.2.1 (applied)
        dhcp option client id 0x3d07010021e889fd5f (applied)
          IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
                X.X.172.5    00:21:e8:89:fd:5f
00:24:36:a2:cc:9f
        Agent Remote ID   "00060d61a1e801d"
        Circuit   lg id 25 vlan-id 1029 clips 262159
        Internal Circuit   255/22:1:26/7/2/15
        Interface bound  SUBSCRIBERS
        Current port-limit unlimited
        dhcp max-addrs 1 (applied)
        dhcp option client id 0x3d0701002436a2cc9f (applied)
        dhcp option hostname
0x0c1b4961696e2d44756e736d6f7265732d54696d652d43617073756c65 (applied)
          IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
                X.X.172.8    00:24:36:a2:cc:9f




Thank you in advance



On Thu, Aug 5, 2010 at 2:34 PM, Denis Mikhaylovskiy
<denis.mikhaylovskiy at ericsson.com> wrote:
> Hi Nikolay
>
> I assume you are using dynamic clips?
> In which mode SE is? DHCP Proxy? Please provide more details.
> Answering on your first question, in common case you can control this by reducing lease time, let's say to 30 min.
>
> But answer on second question depends on your details again. You say customer = circuit-id/agent-remote-id. Does it mean you have several MACs per access port on your switch? Which network you have L2 or L3 between access switches and SE?
>
>
> /denis
>
> -----Original Message-----
> From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Nikolay Abromov
> Sent: Wednesday, August 04, 2010 7:32 PM
> To: redback-nsp at puck.nether.net
> Subject: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
>
> Hello Group,
>
> I have the following questions.
>
> I am using radius to authenticate my subscribers and if a client has
> been authenticated once and he/she went offline for couple of ours and
> came back online the SmartEdge reply behalf of the radius server
> without notifying the radius.I would like to change this behavior and
> force the SE to send re-authentication request every 30min.
>
> Another thing I'd like to achieve is the set maximum number of the
> subscribers behind a single agent-circuit-id and/or agent-remote-id. I
> know how to do it via the radius configurations but I've been asked
> can be done with static configurations. With DHCP MAX-ADDR I can limit
> the number of the IP addresses given per single MAC address but not
> per customer (customer == circuit-id/agent-remote-id).
>
>
> SEOS Version:  6.1.5.4p3-Release
>
> Thank you in advance
>
>
> --
> Nikolay Abromov
> Network Engineer
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>



-- 
Nikolay Abromov
Mobile +44 (0) 7929408688

More information about the redback-nsp mailing list