[rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
Nikolay Abromov
nabromov at gmail.com
Fri Aug 6 05:59:50 EDT 2010
Hi Denis,
If I go for the radius configuration. Do you think such config will do
the limitation?
DEFAULT Agent-Circuit-ID == "CIRCUIT_ID", Auth-Type := Accept
DHCP-Max-Leases = 1
Thanks in advance
On Thu, Aug 5, 2010 at 5:09 PM, Nikolay Abromov <nabromov at gmail.com> wrote:
> Denis,
>
> Thank you. I will consider the available options now.
>
>
>
>
> 2010/8/5 Denis Mikhaylovskiy <denis.mikhaylovskiy at ericsson.com>:
>> Nikolay,
>>
>> Regarding second question. SE doesn't 'understand' agent-id. SE transparently transmits it to the RADIUS or external DHCP server and relays on their intelligence.
>> Or if you can put each access port into isolated VLAN, then you can limit the number of clips sessions at the pvc level on SE.
>>
>>
>> Cheers,
>> /denis
>>
>> -----Original Message-----
>> From: Nikolay Abromov [mailto:nabromov at gmail.com]
>> Sent: Thursday, August 05, 2010 6:56 PM
>> To: Denis Mikhaylovskiy
>> Cc: redback-nsp at puck.nether.net
>> Subject: Re: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
>>
>> Hi Denis,
>>
>>
>> It's a pure L2 network from the subscriber port to the SE where I am
>> using dynamic clips and local DHCP server (the SE itself). I am
>> identifying each subscriber using relay-agent by adding
>> circuit-id/remote-id per port on the switch/per subscriber. One of my
>> ideas was exactly the same to reduce the lease time but I wasn't sure
>> is that going to force re-authentication so I decided to ask before
>> try it.
>>
>> About my second question. Technically it's not a problem to limit the
>> number of the mac addresses behind each port,however, I cannot do it
>> because of administrative reasons. So I've been asked to find a way to
>> limit the number of the IP addresses that the SE is giving and the
>> only way to identify each subscriber is by the "Remote-ID".
>>
>> The only available solution I can see for now is the use COA Radius.
>>
>>
>>
>> it's quite basic configuration as you can see.
>>
>>
>>
>> aaa authentication subscriber radius
>> aaa accounting subscriber radius attribute-guided
>> aaa accounting reauthorization subscriber radius
>> aaa update subscriber 10
>> aaa reauthorization bulk radius
>> radius accounting server Y.Y.172.134 encrypted-key CUT
>> !
>> -- CUT --
>> !
>> radius server Y.Y.172.134 encrypted-key CUT
>> radius timeout 60
>> radius attribute nas-port-id format agent-circuit-id agent-remote-id
>> radius server-timeout 60
>> !
>> subscriber default
>> dhcp max-addrs 1
>> !
>> ip route 0.0.0.0/0 X.X.24.37
>> service ssh
>> !
>> dhcp server policy
>> option domain-name-server X.X.172.130 X.X.172.138
>> subnet X.X.172.0/25
>> range X.X.172.2 X.X.172.99
>> option router X.X.172.1
>>
>>
>> !
>> end
>>
>>
>>
>> Redback#show subscribers active
>> 00:21:e8:89:fd:5f
>> Agent Remote ID "00060d61a1e801d"
>> Circuit lg id 25 vlan-id 1029 clips 262156
>> Internal Circuit 255/22:1:26/7/2/12
>> Interface bound SUBSCRIBERS
>> Current port-limit unlimited
>> dhcp max-addrs 1 (applied)
>> dhcp vendor class id udhcp 1.2.1 (applied)
>> dhcp option client id 0x3d07010021e889fd5f (applied)
>> IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
>> X.X.172.5 00:21:e8:89:fd:5f
>> 00:24:36:a2:cc:9f
>> Agent Remote ID "00060d61a1e801d"
>> Circuit lg id 25 vlan-id 1029 clips 262159
>> Internal Circuit 255/22:1:26/7/2/15
>> Interface bound SUBSCRIBERS
>> Current port-limit unlimited
>> dhcp max-addrs 1 (applied)
>> dhcp option client id 0x3d0701002436a2cc9f (applied)
>> dhcp option hostname
>> 0x0c1b4961696e2d44756e736d6f7265732d54696d652d43617073756c65 (applied)
>> IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
>> X.X.172.8 00:24:36:a2:cc:9f
>>
>>
>>
>>
>> Thank you in advance
>>
>>
>>
>> On Thu, Aug 5, 2010 at 2:34 PM, Denis Mikhaylovskiy
>> <denis.mikhaylovskiy at ericsson.com> wrote:
>>> Hi Nikolay
>>>
>>> I assume you are using dynamic clips?
>>> In which mode SE is? DHCP Proxy? Please provide more details.
>>> Answering on your first question, in common case you can control this by reducing lease time, let's say to 30 min.
>>>
>>> But answer on second question depends on your details again. You say customer = circuit-id/agent-remote-id. Does it mean you have several MACs per access port on your switch? Which network you have L2 or L3 between access switches and SE?
>>>
>>>
>>> /denis
>>>
>>> -----Original Message-----
>>> From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Nikolay Abromov
>>> Sent: Wednesday, August 04, 2010 7:32 PM
>>> To: redback-nsp at puck.nether.net
>>> Subject: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
>>>
>>> Hello Group,
>>>
>>> I have the following questions.
>>>
>>> I am using radius to authenticate my subscribers and if a client has
>>> been authenticated once and he/she went offline for couple of ours and
>>> came back online the SmartEdge reply behalf of the radius server
>>> without notifying the radius.I would like to change this behavior and
>>> force the SE to send re-authentication request every 30min.
>>>
>>> Another thing I'd like to achieve is the set maximum number of the
>>> subscribers behind a single agent-circuit-id and/or agent-remote-id. I
>>> know how to do it via the radius configurations but I've been asked
>>> can be done with static configurations. With DHCP MAX-ADDR I can limit
>>> the number of the IP addresses given per single MAC address but not
>>> per customer (customer == circuit-id/agent-remote-id).
>>>
>>>
>>> SEOS Version: 6.1.5.4p3-Release
>>>
>>> Thank you in advance
>>>
>>>
>>> --
>>> Nikolay Abromov
>>> Network Engineer
>>> _______________________________________________
>>> redback-nsp mailing list
>>> redback-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>>
>>
>>
>>
>> --
>> Nikolay Abromov
>> Mobile +44 (0) 7929408688
>>
>
>
>
> --
> Nikolay Abromov
> Mobile +44 (0) 7929408688
>
--
Nikolay Abromov
Mobile +44 (0) 7929408688
More information about the redback-nsp
mailing list