[rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id

Denis Mikhaylovskiy denis.mikhaylovskiy at ericsson.com
Sat Aug 7 02:04:50 EDT 2010


Ni Nikolay,

DHCP-Max-Leases must to be equal to 1 for dynamic clips. It is mandatory. 

I think in you case freeradius config should looks like this:

DEFAULT Agent-Circuit-ID == "PORT_1", Simultaneous-Use := 4
	DHCP-Max-Leases = 1

I'm not 100 sure but simultaneous-use may help here.
 

/denis

-----Original Message-----
From: Nikolay Abromov [mailto:nabromov at gmail.com] 
Sent: Friday, August 06, 2010 2:00 PM
To: Denis Mikhaylovskiy
Cc: redback-nsp at puck.nether.net
Subject: Re: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id

Hi Denis,

If I go for the radius configuration. Do you think such config will do
the limitation?


                DEFAULT Agent-Circuit-ID == "CIRCUIT_ID", Auth-Type := Accept
		DHCP-Max-Leases = 1


Thanks in advance


On Thu, Aug 5, 2010 at 5:09 PM, Nikolay Abromov <nabromov at gmail.com> wrote:
> Denis,
>
> Thank you. I will consider the available options now.
>
>
>
>
> 2010/8/5 Denis Mikhaylovskiy <denis.mikhaylovskiy at ericsson.com>:
>> Nikolay,
>>
>> Regarding second question. SE doesn't 'understand' agent-id. SE transparently transmits it to the RADIUS or external DHCP server and relays on their intelligence.
>> Or if you can put each access port into isolated VLAN, then you can limit the number of clips sessions at the pvc level on SE.
>>
>>
>> Cheers,
>> /denis
>>
>> -----Original Message-----
>> From: Nikolay Abromov [mailto:nabromov at gmail.com]
>> Sent: Thursday, August 05, 2010 6:56 PM
>> To: Denis Mikhaylovskiy
>> Cc: redback-nsp at puck.nether.net
>> Subject: Re: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
>>
>> Hi Denis,
>>
>>
>> It's a pure L2 network from the subscriber port to the SE where I am
>> using dynamic clips and local DHCP server (the SE itself). I am
>> identifying each subscriber using relay-agent by adding
>> circuit-id/remote-id per port on the switch/per subscriber. One of my
>> ideas was exactly the same to reduce the lease time but I wasn't sure
>> is that going to force re-authentication so I decided to ask before
>> try it.
>>
>> About my second question. Technically it's not a problem to limit the
>> number of the mac addresses behind each port,however, I cannot do it
>> because of administrative reasons. So I've been asked to find a way to
>> limit the number of the IP addresses that the SE is giving and the
>> only way to identify each subscriber is by the "Remote-ID".
>>
>> The only available solution I can see for now is the use COA Radius.
>>
>>
>>
>> it's quite basic configuration as you can see.
>>
>>
>>
>>  aaa authentication subscriber radius
>>  aaa accounting subscriber radius attribute-guided
>>  aaa accounting reauthorization subscriber radius
>>  aaa update subscriber 10
>>  aaa reauthorization bulk radius
>>  radius accounting server Y.Y.172.134 encrypted-key CUT
>> !
>> -- CUT --
>> !
>>  radius server Y.Y.172.134 encrypted-key CUT
>>  radius timeout 60
>>  radius attribute nas-port-id format agent-circuit-id agent-remote-id
>>  radius server-timeout 60
>> !
>>  subscriber default
>>   dhcp max-addrs 1
>> !
>>  ip route 0.0.0.0/0 X.X.24.37
>>  service ssh
>> !
>>  dhcp server policy
>>   option domain-name-server X.X.172.130 X.X.172.138
>>   subnet X.X.172.0/25
>>     range X.X.172.2 X.X.172.99
>>     option router X.X.172.1
>>
>>
>> !
>> end
>>
>>
>>
>> Redback#show subscribers active
>> 00:21:e8:89:fd:5f
>>        Agent Remote ID   "00060d61a1e801d"
>>        Circuit   lg id 25 vlan-id 1029 clips 262156
>>        Internal Circuit   255/22:1:26/7/2/12
>>        Interface bound  SUBSCRIBERS
>>        Current port-limit unlimited
>>        dhcp max-addrs 1 (applied)
>>        dhcp vendor class id udhcp 1.2.1 (applied)
>>        dhcp option client id 0x3d07010021e889fd5f (applied)
>>          IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
>>                X.X.172.5    00:21:e8:89:fd:5f
>> 00:24:36:a2:cc:9f
>>        Agent Remote ID   "00060d61a1e801d"
>>        Circuit   lg id 25 vlan-id 1029 clips 262159
>>        Internal Circuit   255/22:1:26/7/2/15
>>        Interface bound  SUBSCRIBERS
>>        Current port-limit unlimited
>>        dhcp max-addrs 1 (applied)
>>        dhcp option client id 0x3d0701002436a2cc9f (applied)
>>        dhcp option hostname
>> 0x0c1b4961696e2d44756e736d6f7265732d54696d652d43617073756c65 (applied)
>>          IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
>>                X.X.172.8    00:24:36:a2:cc:9f
>>
>>
>>
>>
>> Thank you in advance
>>
>>
>>
>> On Thu, Aug 5, 2010 at 2:34 PM, Denis Mikhaylovskiy
>> <denis.mikhaylovskiy at ericsson.com> wrote:
>>> Hi Nikolay
>>>
>>> I assume you are using dynamic clips?
>>> In which mode SE is? DHCP Proxy? Please provide more details.
>>> Answering on your first question, in common case you can control this by reducing lease time, let's say to 30 min.
>>>
>>> But answer on second question depends on your details again. You say customer = circuit-id/agent-remote-id. Does it mean you have several MACs per access port on your switch? Which network you have L2 or L3 between access switches and SE?
>>>
>>>
>>> /denis
>>>
>>> -----Original Message-----
>>> From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Nikolay Abromov
>>> Sent: Wednesday, August 04, 2010 7:32 PM
>>> To: redback-nsp at puck.nether.net
>>> Subject: [rbak-nsp] force re-authentication and dhcp max-addrs per circuit-id
>>>
>>> Hello Group,
>>>
>>> I have the following questions.
>>>
>>> I am using radius to authenticate my subscribers and if a client has
>>> been authenticated once and he/she went offline for couple of ours and
>>> came back online the SmartEdge reply behalf of the radius server
>>> without notifying the radius.I would like to change this behavior and
>>> force the SE to send re-authentication request every 30min.
>>>
>>> Another thing I'd like to achieve is the set maximum number of the
>>> subscribers behind a single agent-circuit-id and/or agent-remote-id. I
>>> know how to do it via the radius configurations but I've been asked
>>> can be done with static configurations. With DHCP MAX-ADDR I can limit
>>> the number of the IP addresses given per single MAC address but not
>>> per customer (customer == circuit-id/agent-remote-id).
>>>
>>>
>>> SEOS Version:  6.1.5.4p3-Release
>>>
>>> Thank you in advance
>>>
>>>
>>> --
>>> Nikolay Abromov
>>> Network Engineer
>>> _______________________________________________
>>> redback-nsp mailing list
>>> redback-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>>
>>
>>
>>
>> --
>> Nikolay Abromov
>> Mobile +44 (0) 7929408688
>>
>
>
>
> --
> Nikolay Abromov
> Mobile +44 (0) 7929408688
>



-- 
Nikolay Abromov
Mobile +44 (0) 7929408688



More information about the redback-nsp mailing list