[rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id

Nikolay Abromov nabromov at gmail.com
Thu Aug 5 12:09:38 EDT 2010 

Denis,

Thank you. I will consider the available options now.




2010/8/5 Denis Mikhaylovskiy <denis.mikhaylovskiy at ericsson.com>:
> Nikolay,
>
> Regarding second question. SE doesn't 'understand' agent-id. SE transparently transmits it to the RADIUS or external DHCP server and relays on their intelligence.
> Or if you can put each access port into isolated VLAN, then you can limit the number of clips sessions at the pvc level on SE.
>
>
> Cheers,
> /denis
>
> -----Original Message-----
> From: Nikolay Abromov [mailto:nabromov at gmail.com]
> Sent: Thursday, August 05, 2010 6:56 PM
> To: Denis Mikhaylovskiy
> Cc: redback-nsp at puck.nether.net
> Subject: Re: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
>
> Hi Denis,
>
>
> It's a pure L2 network from the subscriber port to the SE where I am
> using dynamic clips and local DHCP server (the SE itself). I am
> identifying each subscriber using relay-agent by adding
> circuit-id/remote-id per port on the switch/per subscriber. One of my
> ideas was exactly the same to reduce the lease time but I wasn't sure
> is that going to force re-authentication so I decided to ask before
> try it.
>
> About my second question. Technically it's not a problem to limit the
> number of the mac addresses behind each port,however, I cannot do it
> because of administrative reasons. So I've been asked to find a way to
> limit the number of the IP addresses that the SE is giving and the
> only way to identify each subscriber is by the "Remote-ID".
>
> The only available solution I can see for now is the use COA Radius.
>
>
>
> it's quite basic configuration as you can see.
>
>
>
>  aaa authentication subscriber radius
>  aaa accounting subscriber radius attribute-guided
>  aaa accounting reauthorization subscriber radius
>  aaa update subscriber 10
>  aaa reauthorization bulk radius
>  radius accounting server Y.Y.172.134 encrypted-key CUT
> !
> -- CUT --
> !
>  radius server Y.Y.172.134 encrypted-key CUT
>  radius timeout 60
>  radius attribute nas-port-id format agent-circuit-id agent-remote-id
>  radius server-timeout 60
> !
>  subscriber default
>   dhcp max-addrs 1
> !
>  ip route 0.0.0.0/0 X.X.24.37
>  service ssh
> !
>  dhcp server policy
>   option domain-name-server X.X.172.130 X.X.172.138
>   subnet X.X.172.0/25
>     range X.X.172.2 X.X.172.99
>     option router X.X.172.1
>
>
> !
> end
>
>
>
> Redback#show subscribers active
> 00:21:e8:89:fd:5f
>        Agent Remote ID   "00060d61a1e801d"
>        Circuit   lg id 25 vlan-id 1029 clips 262156
>        Internal Circuit   255/22:1:26/7/2/12
>        Interface bound  SUBSCRIBERS
>        Current port-limit unlimited
>        dhcp max-addrs 1 (applied)
>        dhcp vendor class id udhcp 1.2.1 (applied)
>        dhcp option client id 0x3d07010021e889fd5f (applied)
>          IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
>                X.X.172.5    00:21:e8:89:fd:5f
> 00:24:36:a2:cc:9f
>        Agent Remote ID   "00060d61a1e801d"
>        Circuit   lg id 25 vlan-id 1029 clips 262159
>        Internal Circuit   255/22:1:26/7/2/15
>        Interface bound  SUBSCRIBERS
>        Current port-limit unlimited
>        dhcp max-addrs 1 (applied)
>        dhcp option client id 0x3d0701002436a2cc9f (applied)
>        dhcp option hostname
> 0x0c1b4961696e2d44756e736d6f7265732d54696d652d43617073756c65 (applied)
>          IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
>                X.X.172.8    00:24:36:a2:cc:9f
>
>
>
>
> Thank you in advance
>
>
>
> On Thu, Aug 5, 2010 at 2:34 PM, Denis Mikhaylovskiy
> <denis.mikhaylovskiy at ericsson.com> wrote:
>> Hi Nikolay
>>
>> I assume you are using dynamic clips?
>> In which mode SE is? DHCP Proxy? Please provide more details.
>> Answering on your first question, in common case you can control this by reducing lease time, let's say to 30 min.
>>
>> But answer on second question depends on your details again. You say customer = circuit-id/agent-remote-id. Does it mean you have several MACs per access port on your switch? Which network you have L2 or L3 between access switches and SE?
>>
>>
>> /denis
>>
>> -----Original Message-----
>> From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Nikolay Abromov
>> Sent: Wednesday, August 04, 2010 7:32 PM
>> To: redback-nsp at puck.nether.net
>> Subject: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
>>
>> Hello Group,
>>
>> I have the following questions.
>>
>> I am using radius to authenticate my subscribers and if a client has
>> been authenticated once and he/she went offline for couple of ours and
>> came back online the SmartEdge reply behalf of the radius server
>> without notifying the radius.I would like to change this behavior and
>> force the SE to send re-authentication request every 30min.
>>
>> Another thing I'd like to achieve is the set maximum number of the
>> subscribers behind a single agent-circuit-id and/or agent-remote-id. I
>> know how to do it via the radius configurations but I've been asked
>> can be done with static configurations. With DHCP MAX-ADDR I can limit
>> the number of the IP addresses given per single MAC address but not
>> per customer (customer == circuit-id/agent-remote-id).
>>
>>
>> SEOS Version:  6.1.5.4p3-Release
>>
>> Thank you in advance
>>
>>
>> --
>> Nikolay Abromov
>> Network Engineer
>> _______________________________________________
>> redback-nsp mailing list
>> redback-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>
>
>
>
> --
> Nikolay Abromov
> Mobile +44 (0) 7929408688
>



-- 
Nikolay Abromov
Mobile +44 (0) 7929408688

More information about the redback-nsp mailing list