miercuri, 18 septembrie 2013

Juniper MX Bras DHCP profile - Radius COA

Topology:   PC[vlan411]-[ge-1/1/0]MX80[ge-1/1/0.410]-[10.100.100.2]RADIUS/DHCP

JunOS config: 

root@mx80-2-R5> show configuration interfaces ge-1/1/0
description " ** Link to 3750-12s-1 g1/0/5 **";
flexible-vlan-tagging;
auto-configure { < -- auto configure interface
    vlan-ranges { < -- using one vlan
        dynamic-profile VLAN_PROFILE { <--using profile
            accept dhcp-v4; < when we receive dhcp-discovery
            ranges {
                411-411; < only allow vlan 411
            }
        }
    }
    remove-when-no-subscribers;
}

Dynamic profile :

root@mx80-2-R5> show configuration dynamic-profiles VLAN_PROFILE
interfaces {
    "$junos-interface-ifd-name" {
        unit "$junos-interface-unit" {
            demux-source inet;
            proxy-arp;
            vlan-id "$junos-vlan-id";
            family inet {
                mac-validate strict;
                unnumbered-address lo0.5 preferred-source-address 100.100.100.1;
            }
        }
    }
}

root@mx80-2-R5> show configuration forwarding-options dhcp-relay
authentication {
    password 123;
    username-include {
        option-82 circuit-id;
    }
}
dynamic-profile DHCP_CST;
overrides {
    always-write-option-82;
}
relay-option-82 {
    circuit-id {
        prefix {
            host-name;
        }
    }
}
server-group {
    ONE {
        10.100.100.2;
    }
}
active-server-group ONE;
group ONE {                          
    interface ge-1/1/0.0;
}

interfaces {
    demux0 {
        unit "$junos-interface-unit" {
            demux-options {
                underlying-interface "$junos-underlying-interface";
            }
            family inet {
                demux-source {
                    $junos-subscriber-ip-address;
                }
                filter {
                    input "$junos-input-filter";
                }
                unnumbered-address lo0.5;
            }
        }
    }
}

root@mx80-2-R5> show configuration access   
radius-server {
    10.100.100.2 {
        secret "$9$Fe48nApO1RSlK"; ## SECRET-DATA
        timeout 5;
        source-address 10.100.100.1;
    }
}
profile sbr {
    accounting-order radius;
    authentication-order radius;
    radius {
        authentication-server 10.100.100.2;
        accounting-server 10.100.100.2;
        options {
            revert-interval 0;
        }
    }
    ##
    ## Warning: requires 'subscriber-accounting' license
    ##
    accounting {
        order radius;
        immediate-update;
        coa-immediate-update;           
        update-interval 120;
        statistics volume-time;
        duplication;
    }
}

root@mx80-2-R5> show configuration access-profile 
sbr;

root@mx80-2-R5> show configuration firewall

filter 2M {                             
    interface-specific;
    term 10 {
        then {
            count 2M;
            accept;
        }
    }
}
filter 5M {
    interface-specific;
    term 10 {
        then {
            count 5M;
            accept;
        }
    }
}
filter DENY {
    interface-specific;
    term 10 {
        then {
            count DENY;
            reject;                     
        }
    }
}


DHCP/RADIUS server conf 



/etc/dhcp/dhcpd.conf

subnet 10.100.100.0 netmask 255.255.255.0 {
}

subnet 100.100.100.0 netmask 255.255.255.0 {
  range 100.100.100.5 100.100.100.8;
  option broadcast-address 100.100.100.255;
  option routers 100.100.100.2;
}

/etc/freeradius/clients.conf 

client 10.100.100.1 {
        secret      = 123
}

/etc/freeradius/users

mx80-2-R5:ge-1/1/0:411 Auth-Type:= ACCEPT  , User-Password == "123"
Filter-ID = "5M"


Checklist: 

root@mx80-2-R5> show subscribers          
Interface           IP Address/VLAN ID                      User Name                      LS:RI
ge-1/1/0.1073741824  411                                                              default:default      
demux0.1073741825   100.100.100.5                           mx80-2-R5:ge-1/1/0:411       default:default 

root@mx80-2-R5> show subscribers client-type dhcp detail 
Type: DHCP
User Name: mx80-2-R5:ge-1/1/0:411
IP Address: 100.100.100.5
Logical System: default
Routing Instance: default
Interface: demux0.1073741825
Interface type: Dynamic
Dynamic Profile Name: DHCP_CST
MAC Address: 00:19:bb:5a:e8:a6
State: Active
DHCP Relay IP Address: 100.100.100.1
Radius Accounting ID: 2
Session ID: 2
Agent Circuit ID: mx80-2-R5:ge-1/1/0:411
Login Time: 2013-09-18 09:30:05 UTC
DHCP Options: len 75
35 01 01 32 04 64 64 64 05 0c 09 75 62 75 6e 74 75 2d 73 32
51 0c 00 00 00 75 62 75 6e 74 75 2d 73 32 37 0d 01 1c 02 03
0f 06 77 0c 2c 2f 1a 79 2a 52 18 01 16 6d 78 38 30 2d 32 2d
52 35 3a 67 65 2d 31 2f 31 2f 30 3a 34 31 31

root@mx80-2-R5> show dynamic-configuration session information session-id 2                      
Session info:
  Accounting session ID: 2
  IP address: 100.100.100.5
  Logical system name: default
  Profile name: DHCP_CST
  MAC address: 00:19:bb:5a:e8:a6
  NAS port type: 15
  Routing instance: default
  Access Profile: sbr
  User name: mx80-2-R5:ge-1/1/0:411
  Interface name: demux0.1073741825
  Dynamic-configuration state: 2
  Client session type: 1
  DHCP relay agent IP address: 100.100.100.1
  IFL type: 2
  Accounting type: 2
  Accounting interval: 7200
  Underlying logical-interface: ge-1/1/0.1073741824
  Client login time: 2013-09-18 09:30:05 UTC
  DHCP option: 35:01:01:32:04:64
  VLAN tag: 411
  Agent Circuit ID: mx80-2-R5:ge-1/1/0:411
  Configuration bits: 0x80007 0 0 0 0 
Dynamic configuration:                  
  junos-input-filter: 5M
  junos-interface-unit: 1073741825
  junos-phy-ifd-name: ge-1/1/0
  junos-underlying-interface: ge-1/1/0.1073741824


COA 

server : 

root@ubuntu-s1: echo "Framed-IP-Address=100.100.100.5,Acct-Session-Id=2,Filter-ID=2M" | radclient -x 10.100.100.1 coa 123
Sending CoA-Request of id 200 to 10.100.100.1 port 3799
        Framed-IP-Address = 100.100.100.5
        Acct-Session-Id = "2"
        Filter-Id = "2M"
rad_recv: CoA-ACK packet from host 10.100.100.1 port 3799, id=200, length=20

Check: 

root@mx80-2-R5> ...ion session information session-id 2                      
Session info:
  Accounting session ID: 2
  IP address: 100.100.100.5
  Logical system name: default
  Profile name: DHCP_CST
  MAC address: 00:19:bb:5a:e8:a6
  NAS port type: 15
  Routing instance: default
  Access Profile: sbr
  User name: mx80-2-R5:ge-1/1/0:411
  Interface name: demux0.1073741825
  Dynamic-configuration state: 2
  Client session type: 1
  DHCP relay agent IP address: 100.100.100.1
  IFL type: 2
  Accounting type: 2
  Accounting interval: 7200
  Underlying logical-interface: ge-1/1/0.1073741824
  Client login time: 2013-09-18 09:30:05 UTC
  DHCP option: 35:01:01:32:04:64
  VLAN tag: 411
  Agent Circuit ID: mx80-2-R5:ge-1/1/0:411
  Configuration bits: 0x80007 0 0 0 0 
Dynamic configuration:                  
  junos-input-filter: 2M
  junos-interface-unit: 1073741825
  junos-phy-ifd-name: ge-1/1/0
  junos-underlying-interface: ge-1/1/0.1073741824