Juniper JUNOSE SOFTWARE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-6-2010 Configuration manual

JUNOSe™ Software

for E Series™ Broadband Services Routers

Broadband Access

Configuration Guide

Release 11.1.x

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Published: 2010-04-06

Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in

the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or

registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or

otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed

to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,

6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JUNOSe™ Software for E Series™ Broadband Services Routers Broadband Access Configuration Guide

Release 11.1.x

Writing: Mark Barnard, Diane Florio, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Fran Singer, Poornima Goswami, Chander Aima, Hema

Priya J, Krupa Chandrashekar, Subash Babu Asokan, Sairam Venugopalan

Editing: Benjamin Mann

Illustration: Nathaniel Woodward

Cover Design: Edmonds Design

Revision History

April 2010—JUNOSe 11.1.x

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS Software has no known time-related limitations through the year

2038. However, the NTP application is known to have some difficulty in the year 2036.

ii ■

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,

INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER

OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS

AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,

AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks

(Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii)

the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)

(collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer

has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer

purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded

Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements

which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive

and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper

or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer

has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use

such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the

Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether

such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to

Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,

connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,

functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,

temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software

to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable

licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer

may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial

period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.

Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any

commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable

license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall

not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as

necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove

any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of

the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted

feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even

if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper

to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper

reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the

Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to

any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish

such records to Juniper and certify its compliance with this Agreement.

■ iii

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer

shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes

restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,

associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in

the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that

accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services

may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED

BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,

OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR

JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY

JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,

JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING

ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER

WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,

OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether

in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or

if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper

has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same

reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),

and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license

granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s

possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of

the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior

to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any

applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper

with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that

would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.

Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related

to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this

Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign

agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or

without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption

or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure

by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,

FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface

information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.

Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable

terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology

are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor

shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the

Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and

subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License

(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)

available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194

N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and

a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions

of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties

hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement

constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous

iv ■

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a

separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict

with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in

writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the

remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English

version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout

avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be

in the English language)).

■ v

vi ■

Abbreviated Table of Contents

About the Documentation xxxvii

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Chapter 2 Monitoring and Troubleshooting Remote Access 113

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes 171

Chapter 4 Configuring RADIUS Dynamic-Request Server 241

Chapter 5 Configuring RADIUS Relay Server 251

Chapter 6 RADIUS Attribute Descriptions 259

Chapter 7 Application Terminate Reasons 279

Chapter 8 Monitoring RADIUS 303

Chapter 9 Configuring TACACS+ 317

Chapter 10 Monitoring TACACS+ 329

Part 3 Managing L2TP

Chapter 11 L2TP Overview 335

Chapter 12 Configuring an L2TP LAC 343

Chapter 13 Configuring an L2TP LNS 375

Chapter 14 Configuring L2TP Dial-Out 411

Chapter 15 L2TP Disconnect Cause Codes 423

Chapter 16 Monitoring L2TP and L2TP Dial-Out 427

Part 4 Managing DHCP

Chapter 17 DHCP Overview 461

Chapter 18 DHCP Local Server Overview 469

Chapter 19 Configuring DHCP Local Server 477

Chapter 20 Configuring DHCP Relay 495

Chapter 21 Configuring the DHCP External Server Application 523

Chapter 22 Monitoring and Troubleshooting DHCP 539

Abbreviated Table of Contents ■ vii

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management 583

Chapter 24 Monitoring Subscriber Management 599

Chapter 25 Configuring Subscriber Interfaces 603

Chapter 26 Monitoring Subscriber Interfaces 635

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager 641

Chapter 28 Monitoring Service Manager 707

Part 7 Index

Index 735

viii ■

JUNOSe 11.1.x Broadband Access Configuration Guide

Table of Contents

About the Documentation xxxvii

E Series and JUNOSe Documentation and Release Notes .........................xxxvii

Audience ..................................................................................................xxxvii

E Series and JUNOSe Text and Syntax Conventions .................................xxxvii

Obtaining Documentation ........................................................................xxxix

Documentation Feedback .........................................................................xxxix

Requesting Technical Support ...................................................................xxxix

Self-Help Online Tools and Resources ......................................................xl

Opening a Case with JTAC .......................................................................xl

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Remote Access Overview ................................................................................4

B-RAS Data Flow .......................................................................................4

Configuring IP Addresses for Remote Clients ............................................4

AAA Overview ..........................................................................................5

Remote Access Platform Considerations .........................................................5

B-RAS Protocol Support ............................................................................5

Remote Access References ..............................................................................6

Before You Configure B-RAS ............................................................................6

Remote Access Configuration Tasks ................................................................6

Configuring a B-RAS License ...........................................................................7

Mapping a User Domain Name to a Virtual Router ..........................................8

Mapping User Requests Without a Valid Domain Name ............................8

Mapping User Requests Without a Configured Domain Name ..................9

Using DNIS ...............................................................................................9

Redirected Authentication .........................................................................9

IP Hinting ...............................................................................................10

Setting Up Domain Name and Realm Name Usage .......................................12

Using the Realm Name as the Domain Name .........................................12

Using Delimiters Other Than @ ..............................................................12

Using Either the Domain or the Realm as the Domain Name ..................13

Specifying the Domain Name or Realm Name Parse Direction ...............13

Stripping the Domain Name ...................................................................14

Domain Name and Realm Name Examples ............................................15

Specifying a Single Name for Users from a Domain ......................................16

Table of Contents ■ ix

Configuring RADIUS Authentication and Accounting Servers ........................18

Server Access ..........................................................................................18

Server Request Processing Limit .............................................................19

Authentication and Accounting Methods .................................................19

Supporting Exchange of Extensible Authentication Protocol

Messages ..........................................................................................20

Immediate Accounting Updates ..............................................................21

Duplicate and Broadcast Accounting .......................................................21

Configuring AAA Duplicate Accounting .............................................22

Configuring AAA Broadcast Accounting ............................................22

Overriding AAA Accounting NAS Information ..................................22

UDP Checksums .....................................................................................23

Collecting Accounting Statistics ...............................................................23

Configuring RADIUS AAA Servers ...........................................................23

SNMP Traps and System Log Messages ...................................................36

SNMP Traps ......................................................................................36

System Log Messages .......................................................................37

Configuring SNMP Traps .........................................................................37

Configuring Local Authentication Servers ......................................................40

Creating the Local Authentication Environment ......................................40

Creating Local User Databases ................................................................40

Adding User Entries to Local User Databases ..........................................40

Using the username Command ........................................................41

Using the aaa local username Command ..........................................41

Assigning a Local User Database to a Virtual Router ...............................42

Enabling Local Authentication on the Virtual Router ...............................42

Configuration Commands .......................................................................43

Local Authentication Example .................................................................47

Configuring Tunnel Subscriber Authentication ...............................................50

Configuring Name Server Addresses .............................................................51

Configuration Tasks ................................................................................51

DNS Primary and Secondary NMS Configuration ..............................52

WINS Primary and Secondary NMS Configuration ............................53

Configuring Local Address Servers ................................................................54

Local Address Pool Ranges .....................................................................54

Local Address Pool Aliases ......................................................................55

Shared Local Address Pools ....................................................................55

SNMP Thresholds ....................................................................................56

Configuring a Local Address Server .........................................................56

Configuring DHCP Features ...........................................................................60

Creating an IP Interface .................................................................................61

Single Clients per ATM Subinterface .......................................................61

Multiple Clients per ATM Subinterface ....................................................62

Configuring AAA Profiles ...............................................................................63

Allowing or Denying Domain Names ......................................................64

Configuration Example .....................................................................64

Using Domain Name Aliases ...................................................................65

Manually Setting NAS-Port-Type Attribute ...............................................69

Service-Description Attribute ..................................................................70

x ■ Table of Contents

JUNOSe 11.1.x Broadband Access Configuration Guide

Using RADIUS Route-Download Server to Distribute Routes ..........................71

Format of Downloaded Routes ...............................................................71

Framed-Route (RADIUS attribute 22) ................................................72

Cisco-AVPair (Cisco VSA 26-1) ..........................................................72

How the Route-Download Server Downloads Routes ..............................72

Configuring the Route-Download Server to Download Routes .................72

Using the AAA Logical Line Identifier to Track Subscribers ............................76

How the Router Obtains and Uses the LLID ............................................76

RADIUS Attributes in Preauthentication Request ....................................77

Considerations for Using the LLID ...........................................................78

Configuring the Router to Obtain the LLID for a Subscriber ....................79

Troubleshooting Subscriber Preauthentication ........................................81

Using VSAs for Dynamic IP Interfaces ...........................................................82

Traffic Shaping for PPP over ATM Interfaces ...........................................83

Mapping Application Terminate Reasons to RADIUS Terminate Codes .........84

Configuration Example ...........................................................................86

Configuring Timeout .....................................................................................88

Limiting Active Subscribers ...........................................................................89

Notifying RADIUS of AAA Failure ..................................................................90

Configuring Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery

Router Advertisements and DHCPv6 Prefix Delegation ...........................90

Propagation of LAG Subscriber Information to AAA and RADIUS ..................92

Configuring the SRC Client ............................................................................94

Retrieval of DSL Line Rate Information from Access Nodes Overview .........102

DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview .......103

DHCPv6 Prefix Delegation Example .....................................................105

Order of Preference in Determining the Local Address Pool for Allocating

Prefixes ..........................................................................................106

Order of Preference in Allocating Prefixes and Assigning DNS Addresses

to Requesting Routers ....................................................................106

Configuring the DHCPv6 Local Address Pools ..............................................107

Limitation on the Number of Prefixes Used by Clients ..........................109

Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links

Example ...............................................................................................110

Chapter 2 Monitoring and Troubleshooting Remote Access 113

Setting Baselines for Remote Access ...........................................................114

Setting a Baseline for AAA Statistics ......................................................115

Setting a Baseline for AAA Route Downloads ........................................115

Setting a Baseline for COPS Statistics ....................................................115

Setting a Baseline for Local Address Pool Statistics ...............................115

Setting a Baseline for RADIUS Statistics ................................................116

Setting the Baseline for SRC Statistics ...................................................116

How to Monitor PPP Interfaces ...................................................................116

Monitoring AAA Accounting Configuration ..................................................116

Monitoring AAA Accounting Default ............................................................117

Monitoring Accounting Interval ...................................................................118

Monitoring Specific Virtual Router Groups ...................................................118

Monitoring the Default AAA Authentication Method List ..............................119

Table of Contents ■ xi

Table of Contents

Monitoring Domain and Realm Name Delimiters ........................................119

Monitoring Mapping Between User Domains and Virtual Routers ...............119

Monitoring Tunnel Subscriber Authentication ..............................................121

Monitoring Routing Table Address Lookup ..................................................122

Monitoring the AAA Model ..........................................................................122

Monitoring IP Addresses of Primary and Secondary DNS and WINS Name

Servers ..................................................................................................122

Monitoring AAA Profile Configuration .........................................................123

Monitoring Statistics about the RADIUS Route-Download Server .................124

Monitoring Routes Downloaded by the RADIUS Route-Download Server ....126

Monitoring Chassis-Wide Routes Downloaded by RADIUS Route-Download

Servers ..................................................................................................127

Monitoring Authentication, Authorization, and Accounting Statistics ...........129

Monitoring the Number of Active Subscribers Per Port ................................131

Monitoring the Maximum Number of Active Subscribers Per Virtual

Router ...................................................................................................131

Monitoring Session Timeouts ......................................................................131

Monitoring Interim Accounting for Users on the Virtual Router ...................132

Monitoring Virtual Router Groups Configured for AAA Broadcast

Accounting ............................................................................................132

Monitoring Configuration Information for AAA Local Authentication ...........133

Monitoring AAA Server Attributes ................................................................134

Monitoring the COPS Layer Over SRC Connection ......................................136

Monitoring Statistics About the COPS Layer ................................................138

Monitoring Local Address Pool Aliases ........................................................140

Monitoring Local Address Pools ...................................................................140

Monitoring Local Address Pool Statistics .....................................................142

Monitoring Shared Local Address Pools .......................................................142

Monitoring the Routing Table ......................................................................143

Monitoring the B-RAS License .....................................................................144

Monitoring the RADIUS Server Algorithm ....................................................144

Monitoring RADIUS Override Settings .........................................................144

Monitoring the RADIUS Rollover Configuration ...........................................145

Monitoring RADIUS Server Information .......................................................145

Monitoring RADIUS Services Statistics .........................................................147

Monitoring RADIUS SNMP Traps .................................................................151

Monitoring RADIUS Accounting for L2TP Tunnels .......................................151

Monitoring RADIUS UDP Checksums ..........................................................152

Monitoring RADIUS Server IP Addresses .....................................................152

Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router

Advertisements .....................................................................................152

Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation ........153

Monitoring SRC Client Connection Status ....................................................153

Monitoring SRC Client Connection Statistics ................................................155

Monitoring the SRC Client Version Number .................................................157

Monitoring Subscriber Information ..............................................................157

Monitoring Application Terminate Reason Mappings ..................................162

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By All Configured

Pools .....................................................................................................164

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name ......165

Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation ...............166

xii ■ Table of Contents

JUNOSe 11.1.x Broadband Access Configuration Guide

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes 171

RADIUS Overview .......................................................................................171

RADIUS Services ...................................................................................172

RADIUS Attributes ................................................................................172

RADIUS Platform Considerations ................................................................172

RADIUS References .....................................................................................173

Subscriber AAA Access Messages ................................................................173

Supported RADIUS IETF Attributes .......................................................174

Supported Juniper Networks VSAs ........................................................176

Subscriber AAA Accounting Messages .........................................................181

Supported RADIUS IETF Attributes .......................................................181

Supported Juniper Networks VSAs ........................................................184

Tunnel Accounting Messages ................................................................187

DSL Forum VSAs in AAA Access and Accounting Messages .........................188

CLI AAA Messages .......................................................................................190

CLI Commands Used to Modify RADIUS Attributes .....................................191

RADIUS IETF Attributes ........................................................................191

[4] NAS-IP-Address .........................................................................191

[5] NAS-Port ...................................................................................192

[8] Framed-IP-Address ....................................................................195

[9] Framed-Ip-Netmask ..................................................................195

[13] Framed-Compression ..............................................................196

[25] Class .......................................................................................197

[30] Called-Station-Id ......................................................................197

[31] Calling-Station-Id .....................................................................197

[32] NAS-Identifier .........................................................................203

[41] Acct-Delay-Time ......................................................................205

[44] Acct-Session-Id ........................................................................205

[45] Acct-Authentic .........................................................................206

[49] Acct-Terminate-Cause .............................................................207

[50] Acct-Multi-Session-Id ...............................................................207

[51] Acct-Link-Count .......................................................................207

[52] Acct-Input-Gigawords ..............................................................208

[53] Output-Gigawords ...................................................................208

[55] Event-Timestamp ....................................................................209

[61] NAS-Port-Type ........................................................................209

[64] Tunnel-Type ............................................................................210

[65] Tunnel-Medium-Type ..............................................................211

[66] Tunnel-Client-Endpoint ...........................................................211

[67] Tunnel-Server-Endpoint ..........................................................212

[68] Acct-Tunnel-Connection ..........................................................212

[77] Connect-Info ...........................................................................212

[82] Tunnel-Assignment-Id .............................................................214

[83] Tunnel-Preference ...................................................................214

[87] NAS-Port-Id .............................................................................214

[90] Tunnel-Client-Auth-Id ..............................................................216

[91] Tunnel-Server-Auth-Id .............................................................216

Table of Contents ■ xiii

Table of Contents

[96] Framed-Interface-Id ................................................................217

[97] Framed-Ipv6-Prefix .................................................................217

[99] Framed-Ipv6-Route .................................................................217

[100] Framed-Ipv6-Pool .................................................................218

[123] Delegated-Ipv6-Prefix ............................................................218

[188] Ascend-Num-In-Multilink .......................................................219

All Tunnel Server Attributes ............................................................220

Juniper Networks Vendor-Specific Attributes .........................................220

[26-1] Virtual-Router .......................................................................220

[26-10] Ingress-Policy-Name ..........................................................221

[26-11] Egress-Policy-Name ............................................................221

[26-14] Service-Category ................................................................222

[26-15] PCR ....................................................................................222

[26-16] SCR ....................................................................................223

[26-17] MBS ...................................................................................223

[26-24] Pppoe-Description ..............................................................224

[26-35] Acct-Input-Gigapackets .......................................................224

[26-36] Acct-Output-Gigapackets ....................................................224

[26-44] Tunnel-Interface-Id .............................................................225

[26-45] Ipv6-Virtual-Router .............................................................225

[26-46] Ipv6-Local-Interface ...........................................................226

[26-47] Ipv6-Primary-DNS ..............................................................226

[26-48] Ipv6-Secondary-DNS ..........................................................227

[26-51] Disconnect-Cause ...............................................................227

[26-53] Service-Description ............................................................228

[26-55] DHCP-Options ....................................................................228

[26-56] DHCP-MAC-Address ...........................................................228

[26-57] DHCP-GI-Address ...............................................................229

[26-62] MLPPP-Bundle-Name .........................................................229

[26-63] Interface-Desc ....................................................................230

[26-81] L2C-Information .................................................................230

[26-92] L2C-Up-Stream-Data ..........................................................230

[26-93] L2C-Down-Stream-Data ......................................................231

[26-129] Ipv6-NdRa-Prefix ..............................................................231

[26-141] Downstream-Calculated-Qos-Rate ....................................232

[26-142] Upstream-Calculated-Qos-Rate .........................................232

[26-143] Max-Clients-Per-Interface .................................................233

[26-150] ICR-Partition-Id ................................................................234

All IPv6 Accounting Attributes ........................................................234

[26-159] DHCP-Option 82 ..............................................................235

ANCP-Related Juniper Networks VSAs ...................................................235

DSL Forum Vendor-Specific Attributes ..................................................237

Including or Excluding Attributes in RADIUS Messages .........................238

Ignoring Attributes When Receiving Access-Accept Messages ...............239

Chapter 4 Configuring RADIUS Dynamic-Request Server 241

RADIUS Dynamic-Request Server Overview ................................................241

RADIUS Dynamic-Request Server Platform Considerations .........................242

RADIUS Dynamic-Request Server References .............................................242

xiv ■ Table of Contents

JUNOSe 11.1.x Broadband Access Configuration Guide

How RADIUS Dynamic-Request Server Works ............................................243

RADIUS-Initiated Disconnect .......................................................................243

Disconnect Messages ............................................................................243

Message Exchange ......................................................................................243

Supported Error-Cause Codes (RADIUS Attribute 101) ..........................244

Qualifications for Disconnect ................................................................244

Security/Authentication .........................................................................245

Configuring RADIUS-Initiated Disconnect ....................................................245

RADIUS-Initiated Change of Authorization ..................................................245

Change-of-Authorization Messages ........................................................245

Message Exchange ................................................................................246

Supported Error-Cause Codes (RADIUS Attribute 101) ..........................246

Qualifications for Change of Authorization ............................................247

Security/Authentication .........................................................................247

Configuring RADIUS-Initiated Change of Authorization ...............................247

RADIUS Dynamic-Request Server Commands .............................................248

Monitoring RADIUS Dynamic-Request Servers ............................................250

Chapter 5 Configuring RADIUS Relay Server 251

RADIUS Relay Server Overview ...................................................................251

RADIUS Relay Server Platform Considerations ............................................252

RADIUS Relay Server References ................................................................252

How RADIUS Relay Server Works ...............................................................252

Authentication and Addressing .............................................................253

Accounting ............................................................................................253

Terminating the Wireless Subscriber’s Connection ...............................254

RADIUS Relay Server and the SRC Software ................................................254

Using the SRC Software for Addressing .................................................254

Using the SRC Application for Accounting .............................................254

Configuring RADIUS Relay Server Support ..................................................255

Monitoring RADIUS Relay Server .................................................................257

Chapter 6 RADIUS Attribute Descriptions 259

RADIUS IETF Attributes ...............................................................................259

Juniper Networks VSAs ................................................................................265

DSL Forum VSAs .........................................................................................276

Pass Through RADIUS Attributes .................................................................277

RADIUS Attributes References .....................................................................278

Chapter 7 Application Terminate Reasons 279

AAA Terminate Reasons ..............................................................................279

L2TP Terminate Reasons .............................................................................280

PPP Terminate Reasons ..............................................................................295

RADIUS Client Terminate Reasons ..............................................................301

Table of Contents ■ xv

Table of Contents

Chapter 8 Monitoring RADIUS 303

Monitoring Override Settings of RADIUS IETF Attributes .............................303

Monitoring the NAS-Port-Format RADIUS Attribute .....................................304

Monitoring the Calling-Station-Id RADIUS Attribute .....................................305

Monitoring the NAS-Identifier RADIUS Attribute ..........................................305

Monitoring the Format of the Remote-Circuit-ID for RADIUS .......................306

Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS ....306

Monitoring the Acct-Session-Id RADIUS Attribute ........................................306

Monitoring the DSL-Port-Type RADIUS Attribute .........................................307

Monitoring the Connect-Info RADIUS Attribute ...........................................307

Monitoring the NAS-Port-ID RADIUS Attribute .............................................307

Monitoring Included RADIUS Attributes ......................................................308

Monitoring Ignored RADIUS Attributes ........................................................310

Setting the Baseline for RADIUS Dynamic-Request Server Statistics ............310

Monitoring RADIUS Dynamic-Request Server Statistics ...............................311

Monitoring the Configuration of the RADIUS Dynamic-Request Server ........312

Setting a Baseline for RADIUS Relay Statistics .............................................313

Monitoring RADIUS Relay Server Statistics ..................................................313

Monitoring the Configuration of the RADIUS Relay Server ..........................315

Monitoring the Status of RADIUS Relay UDP Checksums ............................316

Monitoring the Status of ICR Partition Accounting .......................................316

Chapter 9 Configuring TACACS+ 317

TACACS+ Overview ...................................................................................317

AAA Overview ......................................................................................318

Administrative Login Authentication .....................................................318

Privilege Authentication ........................................................................319

Login Authorization ..............................................................................319

Accounting ............................................................................................319

TACACS+ Platform Considerations .............................................................321

TACACS+ References .................................................................................321

Before You Configure TACACS+ .................................................................322

Configuring TACACS+ Support ...................................................................322

Configuring Authentication ...................................................................322

Configuring Accounting ........................................................................323

Chapter 10 Monitoring TACACS+ 329

Setting Baseline TACACS+ Statistics ...........................................................329

Monitoring TACACS+ Statistics ...................................................................329

Monitoring TACACS+ Information ..............................................................331

xvi ■ Table of Contents

JUNOSe 11.1.x Broadband Access Configuration Guide

Part 3 Managing L2TP

Chapter 11 L2TP Overview 335

L2TP Overview ............................................................................................335

L2TP Terminology .......................................................................................336

Implementing L2TP .....................................................................................337

Sequence of Events on the LAC ............................................................337

Sequence of Events on the LNS .............................................................338

Packet Fragmentation .................................................................................339

L2TP Platform Considerations .....................................................................340

L2TP Module Requirements ........................................................................340

ERX7xx Models, ERX14xx Models, and the ERX310 Router .................340

E120 Router and E320 Router ..............................................................341

Sessions and Tunnels Supported .................................................................341

L2TP References .........................................................................................342

Chapter 12 Configuring an L2TP LAC 343

LAC Configuration Prerequisites ..................................................................343

Modifying L2TP LAC Default Settings for Managing Destinations, Tunnels,

and Sessions .........................................................................................344

Generating UDP Checksums in Packets to L2TP Peers .................................345

Specifying a Destruct Timeout for L2TP Tunnels and Sessions ....................345

Preventing Creation of New Destinations, Tunnels, and Sessions ................346

Preventing Creation of New Destinations, Tunnels, and Sessions on the

Router ............................................................................................346

Preventing Creation of New Tunnels and Sessions at a Destination ......347

Preventing Creation of New Sessions for a Tunnel ................................347

Specifying a Drain Timeout for a Disconnected Tunnel .........................347

Shutting Down Destinations, Tunnels, and Sessions ....................................348

Closing Existing and Preventing New Destinations, Tunnels, and Sessions

on the Router .................................................................................348

Closing Existing and Preventing New Tunnels and Sessions for a

Destination .....................................................................................348

Closing Existing and Preventing New Sessions in a Specific Tunnel ......348

Closing a Specific Session .....................................................................349

Specifying the Number of Retransmission Attempts ....................................349

Configuring Calling Number AVP Formats ...................................................349

Calling Number AVP 22 Configuration Tasks ........................................353

Configuring the Fallback Format ...........................................................354

Disabling the Calling Number AVP ........................................................357

Mapping a User Domain Name to an L2TP Tunnel Overview ......................358

Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel

Mode ....................................................................................................359

Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel

Mode ....................................................................................................363

Configuring the RX Speed on the LAC .........................................................365

Table of Contents ■ xvii

Table of Contents

Managing the L2TP Destination Lockout Process .........................................366

Modifying the Lockout Procedure .........................................................366

Verifying That a Locked-Out Destination Is Available ............................368

Configuring a Lockout Timeout .............................................................368

Unlocking a Destination that is Currently Locked Out ...........................368

Starting an Immediate Lockout Test .....................................................369

Managing Address Changes Received from Remote Endpoints ...................369

Configuring LAC Tunnel Selection Parameters .............................................370

Configuring the Failover Between Preference Levels Method ................370

Configuring the Failover Within a Preference Level Method ..................371

Configuring the Maximum Sessions per Tunnel ....................................372

Configuring the Weighted Load Balancing Method ................................372

Chapter 13 Configuring an L2TP LNS 375

LNS Configuration Prerequisites ..................................................................375

Configuring an LNS .....................................................................................376

Creating an L2TP Destination Profile ...........................................................378

Creating an L2TP Host Profile ......................................................................379

Configuring the Maximum Number of LNS Sessions ...................................380

Configuring the RADIUS Connect-Info Attribute on the LNS ........................380

Overriding LNS Out-of-Resource Result Codes 4 and 5 ................................381

Overriding the Result Codes .................................................................381

Displaying the Current Override Setting ................................................382

Selecting Service Modules for LNS Sessions Using MLPPP ...........................382

Assigning Bundled Group Identifiers .....................................................383

Overriding All Endpoint Discriminators ................................................384

Enabling Tunnel Switching ..........................................................................384

Creating Persistent Tunnels .........................................................................385

Testing Tunnel Configuration ......................................................................385

Managing L2TP Destinations, Tunnels, and Sessions ...................................385

Configuring Disconnect Cause Information .................................................386

Generating the Disconnect Cause AVP Globally .....................................386

Generating the Disconnect Cause AVP with a Host Profile ....................387

Enabling RADIUS Accounting for Disconnect Cause ..............................387

Displaying Disconnect Cause Statistics .................................................387

Configuring the Receive Window Size .........................................................388

Configuring the Default Receive Window Size ......................................388

Configuring the Receive Window Size on the LAC ................................389

Configuring the Receive Window Size on the LNS .................................390

Configuring Peer Resynchronization ...........................................................391

Configuring Peer Resynchronization for L2TP Host Profiles and AAA

Domain Map Tunnels .....................................................................392

Configuring the Global L2TP Peer Resynchronization Method ...............393

Using RADIUS to Configure Peer Resynchronization .............................394

Configuring L2TP Tunnel Switch Profiles .....................................................394

Applying the L2TP Tunnel Switch Profile ..............................................394

Configuration Guidelines .......................................................................395

Configuring L2TP AVPs for Relay ..........................................................395

xviii ■ Table of Contents

JUNOSe 11.1.x Broadband Access Configuration Guide

Configuration Tasks ..............................................................................396

Enabling Tunnel Switching on the Router .......................................396

Configuring L2TP Tunnel Switch Profiles ........................................396

Applying L2TP Tunnel Switch Profiles by Using AAA Domain

Maps ........................................................................................397

Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel

Groups .....................................................................................398

Applying Default L2TP Tunnel Switch Profiles ................................399

Applying L2TP Tunnel Switch Profiles by Using RADIUS ................399

Configuring the Transmit Connect Speed Calculation Method .....................400

Transmit Connect Speed Calculation Methods ......................................401

Static Layer 2 .................................................................................401

Dynamic Layer 2 ............................................................................402

QoS ................................................................................................402

Actual .............................................................................................402

Transmit Connect Speed Calculation Examples ....................................402

Example 1: L2TP Session over ATM 1483 Interface ........................402

Example 2: L2TP Session over Ethernet VLAN Interface .................403

Transmit Connect Speed Reporting Considerations ..............................404

Session Termination for Dynamic Speed Timeout ..........................404

Advisory Speed Precedence for VLANs over Bridged Ethernet ........404

Using AAA Domain Maps to Configure the Transmit Connect Speed

Calculation Method .........................................................................404

Using AAA Tunnel Groups to Configure the Transmit Connect Speed

Calculation Method .........................................................................405

Using AAA Default Tunnel Parameters to Configure the Transmit Connect

Speed Calculation Method ..............................................................406

Using RADIUS to Configure the Transmit Connect Speed Calculation

Method ...........................................................................................407

PPP Accounting Statistics ............................................................................408

Chapter 14 Configuring L2TP Dial-Out 411

L2TP Dial-Out Overview ..............................................................................411

Terms ...................................................................................................412

Network Model for Dial-Out ..................................................................412

Dial-Out Process ...................................................................................413

Dial-Out Operational States ...................................................................413

Chassis ...........................................................................................413

Virtual Router .................................................................................414

Targets ...........................................................................................414

Sessions .........................................................................................415

Outgoing Call Setup Details ...................................................................416

Access-Request Message ................................................................416

Access-Accept Message ..................................................................417

Outgoing Call ..................................................................................417

Mutual Authentication ....................................................................418

Route Installation ...........................................................................418

L2TP Dial-Out Platform Considerations .......................................................418

L2TP Dial-Out References ............................................................................418

Table of Contents ■ xix

Table of Contents

Before You Configure L2TP Dial-Out ...........................................................419

Configuring L2TP Dial-Out ...........................................................................419

Monitoring L2TP Dial-Out ............................................................................421

Chapter 15 L2TP Disconnect Cause Codes 423

L2TP Disconnect Cause Codes .....................................................................423

Chapter 16 Monitoring L2TP and L2TP Dial-Out 427

Monitoring the Mapping for User Domains and Virtual Routers with AAA ....428

Monitoring Configured Tunnel Groups with AAA .........................................430

Monitoring Configuration of Tunnel Parameters with AAA ..........................432

Monitoring Global Configuration Status on E Series Routers ........................433

Monitoring Detailed Configuration Information for Specified

Destinations ..........................................................................................435

Monitoring Locked Out Destinations ...........................................................437

Monitoring Configured Destination Profiles or Host Profiles ........................437

Monitoring Configured and Operational Status of all Destinations ...............440

Monitoring Statistics on the Cause of a Session Disconnection ....................441

Monitoring Detailed Configuration Information about Specified Sessions ....442

Monitoring Configured and Operational Summary Status ............................443

Monitoring Configured Switch Profiles on Router ........................................444

Monitoring Detailed Configuration Information about Specified Tunnels .....445

Monitoring Configured and Operational Status of All Tunnels .....................448

Monitoring Chassis-wide Configuration for L2TP Dial-out ............................448

Monitoring Status of Dial-out Sessions .........................................................453

Monitoring Dial-out Targets within the Current VR Context .........................454

Monitoring Operational Status within the Current VR Context .....................456

Part 4 Managing DHCP

Chapter 17 DHCP Overview 461

DHCP Overview Information .......................................................................461

Session and Resource Control Software ................................................462

DHCP Platform Considerations ....................................................................462

DHCP References ........................................................................................463

Configuring the DHCP Access Model ...........................................................463

Configuring DHCP Proxy Clients .................................................................464

Logging DHCP Packet Information ..............................................................465

Viewing and Deleting DHCP Client Bindings ................................................466

xx ■ Table of Contents

JUNOSe 11.1.x Broadband Access Configuration Guide

Page is loading ...

Juniper JUNOSE SOFTWARE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-6-2010, JUNOSE 11.1.X - BROADBAND ACCESS CONFIGURATION GUIDE 6-4-2010, JUNOSE 11.1.X MULTICAST ROUTING Configuration manual

Related papers

Other documents