Beruflich Dokumente
Kultur Dokumente
Day One:
SBR Change of Authorization
(CoA) and the MX Series
By John Rolfe
ITS DAY ONE AND YOU HAVE A JOB TO DO, SO LEARN HOW TO:
n Handle DHCP subscribers using MX DHCP local server.
n Configure IP demux on the subscriber interface.
n Create QoS configuration templates for deployment.
n Build dynamic profiles using the firewall filter/policer for QOS.
n Use SBR Carrier using Session Control Module (SCM) for CoA.
n Utilize SBR Carrier XML over HTTPS API.
n Perform PHP scripting to implement the HTTPS XML post.
n Build a basic Apache web server page.
Juniper Networks Books are singularly focused on network productivity and efficiency. Peruse the
complete library at www.juniper.net/books.
Published by Juniper Networks Books
ISBN 978-1936779635
51200
07100164
9 781936 779635
iv
vi
vii
viii
Chapter 1
MX Dynamic Subscriber Management
The Lab Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The Basic Use Case and Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Change of Authorization (CoA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10
NOTE
SBR needs to run on Red Hat Enterprise Server in production networks, but Centos is binary compatible and freely available. SBR also
runs in a SPARC Solaris environment.
The SCM license allows SBR to implement CoA to the MX, as well as
being the authentication and authorization server for the subscriber on
behalf of the MX. In the test lab for the book, there is also Internet
connectivity off the MX, which permits us to go to speed test sites to
confirm our dynamic changes to the session.
Figure 1.1
11
12
Figure 1.2
When a subscriber connection comes active, it issues a DHCP discovery, which is a Layer 3 broadcast. The MX is configured as a local
DHCP server with Radius authorization, and as such, issues an access
request to RADIUS. The access request has a user-name as the MACAddress of the subscriber with a prefix and a password of Juniper. The
password is configured statically in the MX and must be present in the
access request to conform to the RADIUS RFC. This is typically
referred to as authorization; since all users have the same password,
its not technically authenticating anything, its simply authorizing the
subscriber for a particular set of session attributes.
Upon receipt of the access request, SBR will look up the user-name and
password in its subscriber database, and as long as the passwords
match, will accept the request. The subscriber database will also
contain a profile name, the profile name matches a list of attributes to
be returned to the MX in the access accept message. These attributes
are dynamically attached to the subscribers connection. In our use
case, firewall filters are applied on the ingress and egress that police all
traffic to 2Mbps. Firewall filters with policers at 5M and 10M are also
defined and they will be the filters changed using CoA.
After SBR accepts the connection and returns the RADIUS attributes
referencing the ingress and egress firewall filters, the MX finishes the
DHCP process and applies the dynamic profile to the connection.
13
14
Table 1.1
Supported Juniper Networks Vendor-Specific Attributes (VSAs) for use with CoA
VSA
Attribute
Ingress-Policy-Name
Egress-Policy-Name
IGMP-Enable
LI-Action
Med-Dev-
Service-Statistics
IGMP-Access-Group-Name
MP-Access-Source-Group-Name
MLD-Access-Group-Name
MLD-Access-Source-Group-Name
MLD-Version
IGMP-Version
IGMP-Immediate-Leave
MLD-Immediate-Leave
IPv6-Ingress-Policy-Name
IPv6-Egress-Policy-Name
CoS-Shaping-Pmt-Type
Interface-Set-Name
Service-Interim-Acct-Interval
CoS-Scheduler-Pmt-Type
Chapter 2
Setting Up the MX
Configuring the MX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Licensing Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring ge-2/2/0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring the DHCP Local Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring the Dynamic Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Checkpoint Validating the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Adding Firewall Filters to the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
16
This chapter describes the basic setup for a DHCP client to obtain its
IP address from the MX local DHCP server, as well as authorizing the
connection via RADIUS (SBR). To keep the configuration simple, lets
use an IP demux connection, no VLANs, along with ingress and egress
firewall filters (policers). The final step will be to configure the MX to
authorize the connection from SBR and SBR to push the firewall filter
names to the MX via RADIUS VSAs (Vendor Specific Attributes).
Configuring the MX
Figure 2.1 shows our simple DHCP client (PC in our case) connected
to the MX. The MX has a local DHCP pool assigning addresses
10.10.10.50 through 10.10.10.60 via interface ge-2/0/0.
Figure 2.1
Licensing Requirements
The MX comes with a 30-day trial license for 1K subscriber sessions, if
this is not sufficient with the equipment in your lab, two licenses will
be required.
For chassis-based MXs (the 240, 480, and 960), the SKU is
S-SA-FP; for the MX80 family the SKU is S-MX80-SA-FP. These
SKUs are Feature Pack for Subscriber Access features.
17
18
MORE? There are a number of uses for the unnumbered interfaces, including
secondary addresses, primary, preferred, and using a number of
secondary addresses for multiple DHCP pools. For more information
go to http://www.juniper.net/techpubs/ and search for unnumbered
interfaces.
Configuring ge-2/2/0
The ge-2/2/0 interface configuration stanza is very simple and its
under unit 0:
[edit]
root@Camlab# show interfaces ge-2/2/0
enable;
unit 0 {
demux-source inet;
family inet {
unnumbered-address lo0.0;
}
}
In Junos, you configure multiple pools in the [access address-assignment] hierarchy, and control in the [system services dhcp-local-server]
hierarchy.
For this books lab example, the DHCP pool is configured as:
[edit access address-assignment]
root@Camlab# show
pool DHCP {
family inet {
network 10.10.10.0/24;
range 1 {
low 10.10.10.50;
high 10.10.10.60;
}
dhcp-attributes {
maximum-lease-time 3600;
name-server {
8.8.8.8;
}
router {
10.10.10.149;
}
}
}
}
In this configuration the statement pool-match-order uses the ip-address-first to select the DHCP pool to use. Authentication is set up to
19
20
use the tag foobar, along with MAC address of the client, to create a
user name. This is important when RADIUS is used to authorize the
connection. The statement dynamic-profile points to the dynamic
profile name that is configured in the next section. Also, you can see
that the interface ge-2/2/0 is referenced to specify which interfaces will
use this DHCP configuration.
Since the preceding configuration specified a user name under the
authentication hierarchy, the authentication access control needs to be
configured:
[edit access]
root@Camlab# show
profile local {
authentication-order none;
}
root@Camlab# top
[edit]
root@Camlab# edit access-profile
[edit access-profile]
root@Camlab# show
local;
For now its set to none, but going forward it will become RADIUS and
use the username foobar.<mac address> as the username for the
RADIUS access request.
}
}
}
}
And the IPv4 address allocated is 10.10.10.57 along with the default
gateway of 10.10.10.149 and a DNS server 8.8.8.8. The MAC address
is 00-50-56-BD-00-35, which, when preceded by foobar, should be the
username associated with this subscriber.
Lets check the connection on the MX with a show command:
[edit]
root@Camlab# run show subscribers
Interface IP Address/VLAN ID User NameLS:RI
demux0.1073741886 10.10.10.57 foobar.0050.56bd.0035default:default
21
22
TIP
There are several other commands you can use to drill down into the
subscriber connection, which you can access using simple Junos help
<?> prompt.
To begin the configuration, the firewall filter needs a name and actions
associated with it. The filters are defined in the top level of the hierarchy as follows:
[edit]
root@Camlab# show firewall
family inet {
filter police-10M {
interface-specific;
term all {
then policer 10M;
}
}
filter police-2M {
interface-specific;
term all {
then policer 2M;
}
}
filter police-5M {
interface-specific;
term all {
then policer 5M;
}
}
}
policer 2M {
if-exceeding {
bandwidth-limit 2m;
burst-size-limit 100k;
}
then discard;
}
policer 5M {
if-exceeding {
bandwidth-limit 5m;
burst-size-limit 250k;
}
then discard;
}
policer 10M {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 500k;
}
then discard;
}
Essentially these firewall filters are accepting all traffic (term all) and
then invoking a policer, which has a bandwidth limit along with a burst
size when the traffic exceeds the bandwidth limit, it is discarded. The
burst-size-limit is a byte count, not bits, as in bandwidth-limit. Its
23
24
NOTE
At this point, the DHCP client needs to be released from its previous
DHCP bindings before the configuration can be committed. Junos will
not allow a change to a dynamic profile that is in use by a subscriber.
This is done using the clear command or run clear from the [edit]
menu:
clear dhcp server bindings all
Summary
At this point you should have a working DHCP client with ingress and
egress firewall filters assigned limiting traffic to 2Mbps. You should
also have a good understanding of how the MX uses dynamic profiles
in DHCP applications as well as the concepts of firewall filters being
used as a policer.
In the next chapter, SBR will be introduced to control the authorization of the DHCP client, in addition to assigning the firewall filter to
the client. Go get a cup of coffee or your favorite beverage and lets get
ready for SBR.
25
26
Chapter 3
Adding SBR to the Configuration
Licensing Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Loading SBR Onto a Centos or Red Hat Server (or VM). . . . . . . . . . . . . . . . 28
Configuring SBR Text Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring SBR RADIUS Clients, Profiles, and Users. . . . . . . . . . . . . . . . . . 34
Configuring the MX for Radius Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . 38
Testing the Configuration - Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
28
This chapter describes the setup of SBR Carrier to control the authorization and firewall filter assignment of the MX setup for the previous
chapters. The steps covered for doing so are:
License requirements
Loading SBR onto a Centos platform (VM or physical server)
Configuring SBR text files
Configuring SBR users, profiles, and RADIUS clients
Configuring MX to use SBR for authorization
Debugging using SBR and MX logs
Licensing Requirements
SBR requires two licenses for this application:
A base license to run the server (SKU: SBR-CAR-AAA)
And a license for Change of Authorization (SKU: SBR-CARSCM)
SCM stands for Session Control Module and allows for CoA/DM, as
well as for Cisco IOSs Packet of Disconnect (POD). The licenses are
installed when the SBR configure script is run on the server. These
licenses can also be the lab version, which simply adds LAB to the
SKU. In production environments, SBR is typically used with the
Session State Registrar (SSR), which centralizes the session state from a
number of SBR front end servers. This book, however, focuses on the
standalone SBR server.
This will stop the iptables firewall until next time you reboot the
system. To turn it off permanently, use:
chkconfig iptables stop
After doing the yum localinstall of the rpm, the next step is to run the
configure script:
[root@src-linux ~]# cd /opt/JNPRsbr/RADIUS/install
[root@src-linux install]# ./configure
Configuring SBR Software
--------------------------------------------------------------------------SBR 7.40.21552
on Linux 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 node src-linux
---------------------------------------------------------------------------
After you accept the license agreement, prompts for the aforementioned SBR licenses are provided. Enter the two required licenses:
Enter SBR full license: <SBR-CAR-AAA license>
Enter SBR feature license: <SBR-CAR-SCM license>
When both licenses are accepted, press the Enter key and the configure
script continues. For most of the configuration prompts the default is
acceptable. (For more information on each of the prompts see the SBR
Installation Guide.) For this book, just make sure its a <new> installation, and enable the autoboot script (these are default).
Once the configure script is finished, start SBR, and test the access to
the Admin GUI.
Start SBR by navigating to the /opt/JNPRsbr/RADIUS directory this
is the default directory where most of the configuration work is done.
From this directory run the sbrd script as follows:
[root@src-linux RADIUS]# cd /opt/JNPRsbr/RADIUS/
[root@src-linux RADIUS]# ./sbrd start
Starting RADIUS server processes
RADIUS: Process ID of daemon is 15763
RADIUS: Starting DCF system
[root@src-linux RADIUS]# RADIUS:
29
30
If SBR has an error launching, check the /etc/hosts file on the server
for the IP address that SBR is using. The SBR software must be able to
resolve its address to the hostname. Here you see the hostname
src-linux has been added to /etc/hosts to allow SBR to start:
[root@src-linux RADIUS]# hostname
src-linux
[root@src-linux RADIUS]# more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.102 src-linux
[root@src-linux RADIUS]#
The sbrd script has a number of functions other than start; you can see
these by entering ./sbrd <return> as follows:
[root@src-linux RADIUS]# ./sbrd
SYNOPSIS: sbrd <function> [force]
EXAMPLES: sbrd status
sbrd start [force]
sbrd stop [force]
sbrd restart [force]
sbrd clean [force]
sbrd hup
Once SBR has started successfully, bring up the admin GUI interface
from Internet Explorer or Firefox by navigating to http://<server-address>:1812.
Click on the launch button and SBR launches a java applet, which is
the Admin GUI.
NOTE
SBR admin GUI runs on IE and Firefox with java enabled. If you have
trouble launching the admin GUI, but can get to the web server, check
the java configurations.
31
32
RADIUS.ini
The RADIUS.ini file contains a number of global settings specific to the
instance of RADIUS. The file is lengthy, but only a couple of areas need
to be edited:
[Logging]
LogLevel=2
TraceLevel=2
LogAccept=1
LogReject=1
;MaxSize = 0
;RollOver = 0
;LogfileMaxMBytes = 0
;LogfilePermissions = owner:group mode ; UNIX only
;LogHighResolutionTime = no
;LogUsesUTC = no
;EnhancedDiagnosticLogging = no
;Log-Thread-ID = no
;Log-Flush-To-System = no
;LogCallingStationId = no
;LogSessionId = no
;LogDir = <file system location>
;The following setting will display the system information at rollover
;SysInfoOnRollover = yes
Use your favorite editor and change the two bolded parameters,
LogLevel and TraceLevel, to 2. This turns on verbose logging, which
will be used in all subsequent chapters for debugging.
NOTE
[Addresses]
; This section controls which IP addresses the server will listen on for
; incoming RADIUS packets. By default, the server will use DNS (and DNSv6 if
; IPv6 is enabled) to configure all local IP addresses except for the following:
; IPv4/IPv6 loopback, IPv6 link local (DEPRECATED), IPv6 site local (DEPRECATED).
; Alternatively, one or more IP addresses may be specified explicitly, each on
; a separate line, in which case only the specified addresses will be configured.
; Zero or more of the following AutoConfigure directives may also be specified:
;AutoConfigureIPv4 ; Use DNS to configure all local IPv4 addresses
;AutoConfigureIPv6 ; Use DNSv6 to configure all local IPv6 addresses
10.10.10.102
vendor.ini
SBR uses dictionary files to process the RADIUS attributes (both
standard RADIUS and VSAs). In the case of the lab MX for this book,
the VSA dictionary being used is unisphereMX11-2.dct. Viewing this
file lists all of the attributes used by the MX for subscriber management. The Juniper subscriber management VSAs are built off of the
Unisphere VSAs used by the ERX router, hence the dictionary needed
is the same for either an ERX or a MX running subscriber management.
NOTE
Its important to note that SBR only processes RADIUS packets using
the dictionary associated with the product listed in vendor.ini, along
with the standard RADIUS.dct attributes.
Edit the file vendor.ini and search for the entry with Unishphere MX
with Junos v11.2 as shown. Ensure the correct dictionary is associated
with the vendor-product.
vendor-product
dictionary
ignore-ports
port-number-usage
help-id
=
=
=
=
=
The vendor-product = is the text string that is seen in the SBR admin
GUI when configuring the MX.
After the edits are done to the text files, restart or hup the sbr process
as root.in the /opt/JNPRsbr/RADIUS directory:
./sbrd restart
or
./sbrd hup
33
34
When youre done click OK, and the client is added. Theres no need
to hup or restart with changes you make in the admin GUI.
Profiles
In SBR, profiles are simply lists of attributes that either are expected to
be received in an access request (checklist) or returned in an access
accept (return list). In the use case for this book checklists wont be
used. However, the attributes corresponding to the police-2M firewall
filter defined in the MX will be set up in the return list. This profile will
be called slow for obvious reasons.
There are two attributes (VSAs) required to implement this firewall
filter.
Unisphere-Ingress-Policy-Name
Unishphere-Egress-Policy-Name.
These attributes correspond to the filter in the dynamic profile below.
When the MX is configured for RADIUS, the input police-2M and
output police-2M filters can be replaced with $junos variables, mean-
35
36
ing the MX expects RADIUS to return values for these firewall filter
names:
IPDemux {
interfaces {
demux0 {
unit "$junos-interface-unit" {
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet {
demux-source {
$junos-subscriber-ip-address;
}
filter {
input police-2M;
output police-2M;
}
unnumbered-address lo0.0;
}
}
}
}
}
Give the profile the name slow and click on the Return List tab in the
Attributes detail. Click on Add and look for Unisphere-Ingress-PolicyName and input a value of police-2M, and then do the same for
Unisphere-Egress-Policy-Name. When you select Add in the attribute
list, the list contains attributes that are in the RADIUS.dct file as well
as the unisphereMX11-2.dct file configured in vendor.ini. Only
Native Users
A user database that is internal to the SBR server is called native users.
Its meant to support small installations (10K users or less). In service
provider networks, the subscriber database is typically a SQL or LDAP
repository SBR connects to that allows authentication and authorization. In this book, lets just use the internal database for simplicity.
The native users panel in SBR admin GUI allows you to add users/
password and profiles for each subscriber. Profiles are pointers to lists
of attributes that you want returned with the access accept message.
Looking back at Chapter 2, the DHCP subscriber was given a user
name of foobar.0050.56bd.0035, built from user-prefix foobar, and
the mac-address of the DHCP client:
authentication {
username-include {
user-prefix foobar;
mac-address;
37
38
Then click Add in the taskbar and input the user name, password, and
profile name as shown here. The name is not case sensitive as RADIUS
defaults to this, so the user name will be in caps.
Once done click OK, and thats all thats needed for the SBR. The
server will wait for an access request from the MX containing the
user-name/password defined, and if it matches, the server will return
the ingress and egress profile names to the MX.
Figure 3.1
39
40
NOTE
Most service providers would use DHCP option 82 as the user name,
which is an option, on the MX DHCP Option 82, is built up from
two sub options, Circuit ID and Remote ID, and is used by the service
provider to identify where the actual connection is coming from, and
ultimately the profile that should be returned.
Next the MX needs an access profile defined (called sbr here). This
includes the RADIUS specific configuration. The configuration is
defined under the [edit access profile sbr] heirarchy:
Last, but certainly not least, the MX needs to be told to use the access
profile called sbr. In Chapter 2, the access profile was named local,
which didnt have any authentication defined:
[edit]
root@Camlab# set access-profile sbr
[edit]
root@Camlab# commit
commit complete
[edit]
41
42
43
44
45
46
(2212): ----------------------------------------------------(2212):
(2212):
(2212):
(2303):
(2303):
(2303):
(2303):
(2303):
(2303):
(2303):
(2303):
(2303):
(2303):
Authentication Request
Received from IpAddr=10.10.10.101 Port=62354
(2303):
(2303):
(2303):
(2303):
(2303):
(2303):
(2303):
Authentication Request
Received from IpAddr=10.10.10.101 Port=62354
Packet Code=0x01 Id=0x7f
Client Name="MX"
Dictionary Name="unisphereMX11-2.dct"
Vector =
000: 4a 96 c0 0a df 0d b2 9d 82 02 90 69 8e 75 36 73
(2303):
(2303):
(2303):
(2303):
Parsed Packet :
User-Name : String Value = foobar.0050.56bd.0035
User-Password : Value =
000: 96 a4 fe 57 ff b0 25 68 3b 6c ed c5 5b fe 9d e3
(2303):
(2303):
(2303):
(2303):
(2303):
Entering
Looking up shared secret
Looking for RAS client 10.10.10.101 in DB
Matched 10.10.10.101 to RAS client MX
Parsing request
Initializing cache entry
Doing inventory check on request
Getting info on requesting client
NAS-IP-Address in request: 10.10.10.101
-----------------------------------------------------
|5..=...PV..5..SR|
11/13/2012 20:14:18.469 (2303): 010: 43 2d 50 43 32 3c 08 4d 53 46 54 20 35 2e 30 37
|C-PC2<.MSFT 5.07|
11/13/2012 20:14:18.469 (2303): 020: 0c 01 0f 03 06 2c 2e 2f 1f 21 79 f9 2b
|.....,./.!y.+ |
11/13/2012 20:14:18.469 (2303): Unisphere-Dhcp-Mac-Addr : String Value =
0050.56bd.0035
11/13/2012 20:14:18.469 (2303): NAS-Identifier : String Value = Camlab
11/13/2012 20:14:18.469 (2303): NAS-Port : Integer Value = 536875007
11/13/2012 20:14:18.469 (2303): NAS-Port-ID : String Value = ge-2/2/0.0
11/13/2012 20:14:18.469 (2303): NAS-Port-Type : Integer Value = 15
11/13/2012 20:14:18.469 (2303): NAS-IP-Address : IPAddress = 10.10.10.101
11/13/2012 20:14:18.469 (2303): -----------------------------------------------------11/13/2012 20:14:18.469 (2303): Determining if request is for a tunnel
11/13/2012 20:14:18.469 (2303): Determining if this RADIUS should act as a proxy
11/13/2012 20:14:18.469 (2303): Determining user class
11/13/2012 20:14:18.470 (2303): Authenticating user FOOBAR.0050.56BD.0035 with
authentication method Native User
11/13/2012 20:14:18.470 (2303): Determined that FOOBAR.0050.56BD.0035 of class NativeUser is the user
11/13/2012 20:14:18.470 (2303): Getting attribute info on requesting user
11/13/2012 20:14:18.470 (2303): Getting profile info for requesting user
11/13/2012 20:14:18.470 (2303): Merging saved attributes with user info
11/13/2012 20:14:18.470 (2303): Merging profile info with user info
11/13/2012 20:14:18.470 (2303): Comparing checklist items with user/profile items
11/13/2012 20:14:18.470 (2303): Appending echo values, if any
11/13/2012 20:14:18.470 (2303): User FOOBAR.0050.56BD.0035 being passed to attribute
editing authentication methods
11/13/2012 20:14:18.470 (2303): Class subattribute: DistName : String Value =
FOOBAR.0050.56BD.0035
11/13/2012 20:14:18.470 (2303): Class subattribute: AuthType : String Value = 0
11/13/2012 20:14:18.471 (2303): Class subattribute: TransactionId : Value =
11/13/2012 20:14:18.471 (2303): 000: fa bf d0 84 6f 8b 91 50 00 00 00 0e
|....o..P.... |
11/13/2012 20:14:18.471 (2303): Sent accept response for user FOOBAR.0050.56BD.0035 to
client MX
11/13/2012 20:14:18.471 (2303): -----------------------------------------------------11/13/2012 20:14:18.471 (2303): Authentication Response
11/13/2012 20:14:18.471 (2303): Packet Code=0x02 Id=0x7f
11/13/2012 20:14:18.471 (2303): Vector =
11/13/2012 20:14:18.471 (2303): 000: 55 88 9b 87 b7 c2 97 27 cb cd 0f 8d 3f f7 04 85
|U......'....?...|
11/13/2012 20:14:18.471 (2303): Class : Value =
11/13/2012 20:14:18.471 (2303): 000: 53 42 52 32 43 4c fd af fa 88 a7 ea ff d0 c2 80
|SBR2CL..........|
11/13/2012 20:14:18.471 (2303): 010: 11 80 34 01 80 02 81 98 80 02 80 18 81 a3 93 e9
|..4.............|
11/13/2012 20:14:18.471 (2303): 020: f4 92 85 a4 ae 98 8c 86 d3 81 b8 ea b6 a1 91 85
|................|
11/13/2012 20:14:18.471 (2303): 030: e3 81 c0 e6 b5 12 80 0e 81 fd af fa 88 a3 be 97
|................|
11/13/2012 20:14:18.471 (2303): 040: 91 a8 80 80 80 80 b8
47
48
|....... |
11/13/2012 20:14:18.471 (2303): Unisphere-Egress-Policy-Name : String Value = police2M
11/13/2012 20:14:18.471 (2303): Unisphere-Ingress-Policy-Name : String Value = police2M
11/13/2012 20:14:18.471 (2303): ------------------------------------------------------11/13/2012 20:14:18.471 (2303): ------------------------------------------------------11/13/2012 20:14:18.471 (2303): Authentication Response
11/13/2012 20:14:18.471 (2303): Sent to IpAddr=10.10.10.101 Port=62354
-----------------------------------------------11/13/2012 20:14:18.634 (2211): Accounting Request
11/13/2012 20:14:18.634 (2211): Received from IpAddr=10.10.10.101 Port=62354
11/13/2012 20:14:18.634 (2211): ------------------------------------------------------11/13/2012 20:14:18.634 (3589): Looking up shared secret
11/13/2012 20:14:18.634 (3589): Looking for RAS client 10.10.10.101 in DB
11/13/2012 20:14:18.634 (3589): Matched 10.10.10.101 to RAS client MX
11/13/2012 20:14:18.634 (3589): Parsing request
11/13/2012 20:14:18.634 (3589): Initializing cache entry
11/13/2012 20:14:18.635 (3589): Doing inventory check on request
11/13/2012 20:14:18.635 (3589): Class subattribute: AuthType : String Value = 0
11/13/2012 20:14:18.635 (3589): Class subattribute: DistName : String Value =
FOOBAR.0050.56BD.0035
11/13/2012 20:14:18.635 (3589): Class subattribute: TransactionId : Value =
11/13/2012 20:14:18.635 (3589): 000: fa bf d0 84 6f 8b 91 50 00 00 00 0e
|....o..P.... |
11/13/2012 20:14:18.635 (3589): Getting client product information
11/13/2012 20:14:18.635 (3589): NAS-IP-Address in request: 10.10.10.101
11/13/2012 20:14:18.635 (3589): Setting data types
11/13/2012 20:14:18.635 (3589): ------------------------------------------------------11/13/2012 20:14:18.635 (3589): Accounting Request
11/13/2012 20:14:18.635 (3589): Received from IpAddr=10.10.10.101 Port=62354
11/13/2012 20:14:18.635 (3589): Packet Code=0x04 Id=0x80
11/13/2012 20:14:18.635 (3589): Client Name="MX"
11/13/2012 20:14:18.635 (3589): Dictionary Name="unisphereMX11-2.dct"
11/13/2012 20:14:18.635 (3589): Vector =
11/13/2012 20:14:18.635 (3589): 000: 62 67 8d 03 ff a5 31 f2 56 60 b1 0b 78 3b b5 84
|bg....1.V`..x;..|
11/13/2012 20:14:18.635 (3589): Parsed Packet :
11/13/2012 20:14:18.635 (3589): User-Name : String Value = foobar.0050.56bd.0035
11/13/2012 20:14:18.635 (3589): Acct-Status-Type : Integer Value = 1
11/13/2012 20:14:18.635 (3589): Acct-Session-Id : String Value = 21
11/13/2012 20:14:18.635 (3589): Service-Type : Integer Value = 2
11/13/2012 20:14:18.635 (3589): Acct-Authentic : Integer Value = 1
11/13/2012 20:14:18.635 (3589): Acct-Delay-Time : Integer Value = 0
11/13/2012 20:14:18.635 (3589): Class : Value =
11/13/2012 20:14:18.635 (3589): 000: 53 42 52 32 43 4c fd af fa 88 a7 ea ff d0 c2 80
|SBR2CL..........|
11/13/2012 20:14:18.635 (3589): 010: 11 80 34 01 80 02 81 98 80 02 80 18 81 a3 93 e9
|..4.............|
11/13/2012 20:14:18.635 (3589): 020: f4 92 85 a4 ae 98 8c 86 d3 81 b8 ea b6 a1 91 85
|................|
11/13/2012 20:14:18.635 (3589): 030: e3 81 c0 e6 b5 12 80 0e 81 fd af fa 88 a3 be 97
|................|
11/13/2012 20:14:18.635 (3589): 040: 91 a8 80 80 80 80 b8
|....... |
11/13/2012 20:14:18.635 (3589): Unisphere-Dhcp-Options : Value =
11/13/2012 20:14:18.635 (3589): 000: 35 01 01 3d 07 01 00 50 56 bd 00 35 0c 07 53 52
|5..=...PV..5..SR|
11/13/2012 20:14:18.635 (3589): 010: 43 2d 50 43 32 3c 08 4d 53 46 54 20 35 2e 30 37
|C-PC2<.MSFT 5.07|
11/13/2012 20:14:18.635 (3589): 020: 0c 01 0f 03 06 2c 2e 2f 1f 21 79 f9 2b
|.....,./.!y.+ |
11/13/2012 20:14:18.635 (3589): Unisphere-Dhcp-Mac-Addr : String Value =
0050.56bd.0035
11/13/2012 20:14:18.635 (3589): Unisphere-Egress-Policy-Name : String Value = police2M
11/13/2012 20:14:18.635 (3589): Event-Timestamp : Integer Value = 1352839139
11/13/2012 20:14:18.635 (3589): Framed-IP-Address : IPAddress = 10.10.10.58
11/13/2012 20:14:18.635 (3589): Framed-IP-Netmask : IPAddress = 255.255.255.0
11/13/2012 20:14:18.635 (3589): Unisphere-Ingress-Policy-Name : String Value = police2M
11/13/2012 20:14:18.635 (3589): NAS-Identifier : String Value = Camlab
11/13/2012 20:14:18.635 (3589): NAS-Port : Integer Value = 536875007
11/13/2012 20:14:18.635 (3589): NAS-Port-ID : String Value = ge-2/2/0.0
11/13/2012 20:14:18.635 (3589): NAS-Port-Type : Integer Value = 15
11/13/2012 20:14:18.635 (3589): NAS-IP-Address : IPAddress = 10.10.10.101
11/13/2012 20:14:18.635 (3589): ------------------------------------------------------11/13/2012 20:14:18.635 (3589): Accounting packet not from cluster
11/13/2012 20:14:18.635 (3589): Determining if this RADIUS should act as a proxy
11/13/2012 20:14:18.635 (3589): ProcessAccountingRequest: new-style class attribute
contains dn FOOBAR.0050.56BD.0035.
11/13/2012 20:14:18.635 (3589): Creating new CST record with Class attribute
11/13/2012 20:14:18.636 (3589): SessionDbc (INFO): UniqueSessionId is based on
assigned IP address + 12 bytes of 0
11/13/2012 20:14:18.636 (3589): Sending accounting start response to client MX
11/13/2012 20:14:18.636 (3589): -------------------------------------------------------11/13/2012 20:14:18.636 (3589): Accounting Response
11/13/2012 20:14:18.636 (3589): Packet Code=0x05 Id=0x80
11/13/2012 20:14:18.636 (3589): Vector =
11/13/2012 20:14:18.636 (3589): 000: 97 44 72 ab b6 0f 09 29 83 86 6d fe ac 11 be 84 |.
Dr....)..m.....|
11/13/2012 20:14:18.636 (3589): ------------------------------------------------------11/13/2012 20:14:18.636 (3589): ------------------------------------------------------11/13/2012 20:14:18.636 (3589): Accounting Response
11/13/2012 20:14:18.636 (3589): Sent to IpAddr=10.10.10.101 Port=62354
11/13/2012 20:14:18.636 (3589):
11/13/2012 20:14:18.636 (3589): Raw packet dump :
11/13/2012 20:14:18.636 (3589): 000: 05 80 00 14 97 44 72 ab b6 0f 09 29 83 86 6d fe
|.....Dr....)..m.|
11/13/2012 20:14:18.636 (3589): 010: ac 11 be 84
49
50
|.... |
11/13/2012 20:14:18.636 (3589): -------------------------------------------------------11/13/2012 20:14:18.636 (3589): Packet containing 20 bytes successfully sent on local
UDP port 37619 to target 10.10.10.101
Summary
This chapter has introduced the Steel Belted Radius basic configuration
for authorizing a DHCP subscriber on the MX. It has also shown how
to pass attributes from SBR back to the MXs dynamic profile using
VSAs in SBR and $junos variables in the MX, and has further attempted to show the various logging points in both SBR and the MX, which
can be useful in debugging configuration errors.
The Chapter 4 introduces RADIUS CoA and shows how the $junos
variable within the MX can be modified using CoA.
Chapter 4
Basic CoA Setup Using SBR GUI
Current Session Table and Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
CoA Packing Lists and Controlled Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
XML Tags in DeviceModels.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Initiating a CoA from SBR Admin GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Testing the Configuration Debug Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
MX General-authentication-server Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
52
This current session table contains attributes that were in the accounting start, such as Framed-IP-Address, NAS-IP-Address, and Accounting-Session-ID. The accounting-session-ID is a number generated by
the MX to uniquely identify this session, and is stored in SBRs current
session table for use for purposes such as processing CoA requests.
request, but fields not available, like acct-session-id, are listed as not
available (n/a). This phantom record is short-lived, a default of 180
seconds, and is replaced by a session record when SBR receives the
accounting start message related to the phantom. The 180-second
lifespan is used to deal with SBR not receiving an accounting start in
certain scenarios. It ensures that phantom records dont create a
problem over time.
The CST is an important source of information when issuing CoA
commands. Returning to the SBR GUI, in the left hand navigation
panel, select Current Sessions and then click on the Query Execution
Query button. The default panel will search wildcard for user as
selected in Select by User.
The session listed here is the session generated from the Chapter 3. To
see the XML representation of this session, simply right click on the
session and select copy and then paste into a word processor the
following output should be seen with all of the associated attributes:
<sessionResults>
<sessionResult sequence="1">
<sessionData handle="0a0a0a33000000000000000000000000">
<attributes>
<attribute name="User-Name" sequence="1"
value="FOOBAR.0050.56BD.0035"/>
<attribute name="NAS-Port" sequence="2" value="536875007"/>
<attribute name="NAS-Port-Type" sequence="3" value="15"/>
<attribute name="Framed-IP-Address" sequence="4"
value="10.10.10.51"/>
<attribute name="Acct-Session-Id" sequence="5" value="14"/>
<attribute name="NAS-IP-Address" sequence="6" value="10.10.10.101"/>
<attribute name="NAS-Identifier" sequence="7" value="MX"/>
</attributes>
</sessionData>
<sessionRequest/>
<deviceResults>
<deviceResult device="MX" sequence="1">
<deviceRequest/>
<deviceResponse resultCode="00010100" resultMessage="request
completed successfully"/>
</deviceResult>
</deviceResults>
<sessionResponse resultCode="00010100" resultMessage="request completed
successfully"/>
</sessionResult>
</sessionResults>
On the right-hand side of the GUI, there are action buttons, three of
which are labeled Boost10M, Boost5M, and Boost2M. These buttons
are used to invoke a CoA from the GUI panel. Defining these buttons
is covered in the next section.
53
54
<action name="disconnect">
<RADIUSRequest description="RFC 3576 Disconnect Message" code="DM"
portName="RFC3576">
<attributes>
<requiredAttribute name="Acct-Session-Id"/>
</attributes>
<onSuccess>
<!--this device does not send Stop when we knock someone off
-->
<sessionStop description="Simulated Session Stop"/>
</onSuccess>
<onFailure>
<!--assume bad session record -->
<sessionStop description="Cleaning Session Database"/>
</onFailure>
<onTimeout/>
</RADIUSRequest>
</action>
<action name="Boost10M" description="boost sub to 10M down">
<RADIUSRequest code="CoA" portName="RFC3576">
<attributes>
<requiredAttribute name="Acct-Session-Id"/>
<overrideAttribute name="Unisphere-egress-policy-name"
value="police-10M"/>
</attributes>
</RADIUSRequest>
</action>
<action name="Boost5M" description="boost sub to 5M down">
<RADIUSRequest code="CoA" portName="RFC3576">
<attributes>
<requiredAttribute name="Acct-Session-Id"/>
<overrideAttribute name="Unisphere-egress-policy-name"
value="police-5M"/>
</attributes>
</RADIUSRequest>
</action>
<action name="Boost2M" description="boost sub to 2M down">
<RADIUSRequest code="CoA" portName="RFC3576">
<attributes>
<requiredAttribute name="Acct-Session-Id"/>
<overrideAttribute name="Unisphere-egress-policy-name"
value="police-2M"/>
</attributes>
</RADIUSRequest>
</action>
</actions>
You can see in this file snippet that the XML begins with the controlled
device name and Make or Model, which corresponds to what was
previously configured for the MX in SBRs Add RADIUS Clients. Each
device that needs CoA support must have definitions in this file. Next,
you can see the port used for CoA 3799 is defined. This can be
changed per controlled device, but just make sure both sides are
changed. (Currently there is no way to change the CoA port on the
MX it defaults to 3799.) The last parts of the controlled device
configuration are the actions to be performed on this device.
The actions, which are defined, appear in the SBR GUI when Current
Session is selected, and the actions of interest here are Boost10M,
Boost5M, and Boost2M. Each action should be self explanatory, and
55
56
The XML tags are interpreted by the CoA subsystem within SBR to
process the CoA. The first tag, action name, is used as a display name
and a request action name when using the XML over https API in
Chapter 5.
RADIUSRequest code in this packing list is CoA, it can also be DM for
disconnect, or POD for Ciscos Packet of Disconnect.
The attributes section is where you define the attributes that need to be
sent, but more importantly, SBR should get the value from there.
When SBR processes a request for CoA, the attributes can be sent in
the request, they can come from the current session table, or they can
be in both when it is necessary to specify which value to use. The term
requiredAttribute must either be included in the request, in static value,
or found in the CST. In our example, the attribute must be found in the
CST since no value is specified.
overrideAttribute specifies that SBR must use this value in the
example police-5M. This must be specified as override since the
CST may have the previous policy-name in its CST, and it needs
to be overridden with police-5M.
defaultAttribute is the final tag that we are not using in the
example. This tag is used when you dont want a request to fail if
a value is not found in the CST or in the request. SBR would only
substitute the value in defaultAttribute for the request if this is
the case.
Other tags are that can be used in packing lists are documented in the
SBR Administrators Guide, but for our basic CoA and DM the above
should be sufficient.
NOTE
To send the CoA requests, SBR must know the IP address of the MX,
but this information is automatically taken from the CST so it does not
need to be defined in deviceModels.xml.
At this point you should close the SBR GUI, quit, and then restart SBR
with the ./sbrd restart and then launch the GUI again from
http://<SBR-IP-address>:1812. If the deviceModels.xml file was
configured correctly, the following should be seen in the panel for your
current session:
57
58
Launch a query for sessions as shown here, and the right hand panel
should show all actions available for sessions including the new Boost
actions.
Before launching the CoA, lets view the session and associated firewall
filters on the MX:
root@Camlab> show subscribers
Interface IP Address/VLAN IDUser NameLS:RI
demux0.1073741828 10.10.10.53foobar.0050.56bd.0035 default:default
root@Camlab> show firewall
Filter: __default_bpdu_filter__
Filter: police-2M-demux0.1073741828-in
Policers:
Name Bytes Packets
2M-all-demux0.1073741828-in 0 0
Filter: police-2M-demux0.1073741828-out
Policers:
Name Bytes Packets
2M-all-demux0.1073741828-out 0 0
root@Camlab>
The show command shows the session is active along with the RADIUS-initiated firewall filters police-2M.
Now lets initiate a Boost10M CoA. In the SBR GUI simply highlight
the session and click on Boost10M, and the following window should
appear.
As a final check, go back to the MX, and look at the firewall to see if
the police-10M filter has been set on the egress. Mission accomplished.
root@Camlab> show firewall
Filter: __default_bpdu_filter__
Filter: police-2M-demux0.1073741828-in
Policers:
Name Bytes Packets
2M-all-demux0.1073741828-in 0 0
59
60
Filter: police-10M-demux0.1073741828-out
Policers:
Name Bytes Packets
10M-all-demux0.1073741828-out 0 0
root@Camlab>
This next log section shows what SBR has retrieved from the CST all
of the attributes associated with the session. As described earlier, the
only attribute needed for the packing list is the Acct-Session-ID, but
SBR also needs to know the NAS-IP-Address, so it can finally send the
CoA along with the shared secret for this NAS:
11/06/2012
11/06/2012
11/06/2012
11/06/2012
11/06/2012
11/06/2012
bytes)
11/06/2012
11/06/2012
11/06/2012
bytes)
11/06/2012
11/06/2012
11/06/2012
11/06/2012
11/06/2012
11/06/2012
11/06/2012
20:00:21.110
20:00:21.110
20:00:21.111
20:00:21.111
20:00:21.111
20:00:21.111
(2140):
(2140):
(2140):
(2140): ++++++ Request for individual session ++++++
(2140): Request
(2140): (String ) User-Name = 'FOOBAR.0050.56BD.0035' (21
(2140):
(2140):
(2140):
(2140):
(2140):
(2140):
(2140):
This next log shows the actual request with the Acct-Session-ID filled
in from the previous log section, along with the override attribute
Unishphere-Egress-Policy-Name set to police-10M:
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
10M' (10 bytes)
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
'MX:RFC3576'
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
1352250024
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
11/06/2012 20:00:21.111
target
11/06/2012 20:00:21.111
11/06/2012 20:00:21.261
11/06/2012 20:00:21.261
(2140):
(2140):
(2140):
(2140):
(2121):
(10122): received proxy response at time 1352250021
(2121):
And this final log output shows the results returned from the MX:
Transaction Result = session control request successful.
11/06/2012 20:00:21.261 (2121): ++++++ Response received from device ++++++
11/06/2012 20:00:21.261 (2121): Transaction Result = session control request
successful
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121): ------ End Response received from device -----11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121): ++++++ Response for individual session ++++++
11/06/2012 20:00:21.261 (2121): Transaction Result = session control request
successful
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121): ------ End Response for individual session -----11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121): Action 'CoA' was completed against device 'MX' with
result: 'session control request successful'.
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121): ++++++ Begin Session Results ++++++
11/06/2012 20:00:21.261 (2121): Result = 'session control request successful'
11/06/2012 20:00:21.261 (2121): Device 'MX'
11/06/2012 20:00:21.261 (2121): Attributes:
61
62
11/06/2012 20:00:21.261 (2121): ------ End Session Results -----11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121): ++++++ Begin Device Results ++++++
11/06/2012 20:00:21.261 (2121): Cached Session Attributes:
11/06/2012 20:00:21.261 (2121): User-Name = 'FOOBAR.0050.56BD.0035'
11/06/2012 20:00:21.261 (2121): NAS-Port = '536875007'
11/06/2012 20:00:21.261 (2121): NAS-Port-Type = '15'
11/06/2012 20:00:21.261 (2121): Framed-IP-Address = '10.10.10.53'
11/06/2012 20:00:21.261 (2121): Acct-Session-Id = '16'
11/06/2012 20:00:21.261 (2121): NAS-IP-Address = '10.10.10.101'
11/06/2012 20:00:21.261 (2121): NAS-Identifier = 'MX'
11/06/2012 20:00:21.261 (2121): Action 'CoA' Attributes:
11/06/2012 20:00:21.261 (2121): Required: <requiredAttribute name="Acct-SessionId" copyFrom="Acct-Session-Id"/>
11/06/2012 20:00:21.261 (2121): Override: <overrideAttribute name="Unisphereegress-policy-name" copyFrom="Unisphere-egress-policy-name" value="police-10M"/>
11/06/2012 20:00:21.261 (2121): Device Response Attributes:
11/06/2012 20:00:21.261 (2121): ------ End Device Results -----11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121): ++++++ Response sent to user ++++++
11/06/2012 20:00:21.261 (2121): Transaction Result = session control request
successful
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121): ------ End Response sent to user -----11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.261 (2121):
11/06/2012 20:00:21.262 (2207): MCB notification in admin session; callback
11/06/2012 20:00:21.262 (2207): resuming stream
MX General-authentication-server Log
The next step in debugging is to look at the logs in the MX, once again
using the general-authentication-server log from Chapter 3. The
general-authentication-server log shows receipt of the CoA message
and the attributes present in the message.
root@Camlab> monitor start authd
*** authd ***
Nov 6 20:26:24 jnp_RADIUS_disconnect_udp_callback parse AVP in disconnect req
datagram_len 42 req_attributes_len 22 current_offset 0
Nov 6 20:26:24
============ CoA/Disconnect Callback =================
Nov 6 20:26:24 dyn_req_disconnect_cb attributes remote_addr:(10.10.10.102) remote_
port:(33991), rtbl_idx:(0)
Nov 6 20:26:24 received in AVP disconnect req type:44 val:16 len:2
Nov 6 20:26:24 received in AVP disconnect req type:26 val: len:16
Nov 6 20:26:24 authd_map_ssh_attribute No Mapping for attribute :26
Nov 6 20:26:24 authd_extract_RADIUS_disconnect_avps Unhandled attribute
Nov 6 20:26:24 authd_verify_request_context: authenticating context LS: <default>;
RI: <default>
Nov 6 20:26:24 RADIUS-access-reject: Egress-Policy-Name (Juniper-ERX-VSA) received:
police-10M
Nov 6 20:26:24 dyn_req_disconnect_cb server_id (10.10.10.102) (10.10.10.102)
port(33991) (33991) cookie :4
Nov 6 20:26:24 retrieveUndoInformation: junos-output-filter police-10M
Nov 6 20:26:24
====== Dynamic Service Request =======
Nov 6 20:26:24 setDynamicProfileUpdateFailCause: dynamicProfileUpdateResult 1
Nov 6 20:26:24 AuthFsm::current state=AuthStateActive(9) event=35 astEntry=0x8c6042c
aaa msg=0
Nov 6 20:26:24 Auth-FSM: Updating attributes in the client's dynamic profile for
session-id:16
Nov 6 20:26:24 updateSdbDynamicAttributes: do: name: junos-output-filter value:
police-10M encoding: 0
Nov 6 20:26:24 Instantiating a Dynamic-Service:IPDemux for service session:16 for
subscriber:16 config-bits:0x80007 0 0 0 0
Nov 6 20:26:24 Auth-FSM: GRES-Mirror for session-id:16
state:AuthProfileUpdateWait(11)
Nov 6 20:26:24
Dynamic Service Handler
Nov 6 20:26:24 authd_auth_aaa_msg_destroy
Nov 6 20:26:24 authd_auth_aaa_msg_destructauth_aaa_msg: 0x8b265c4
Nov 6 20:26:24 dyn_req_disconnect_cb dyn_result :1
Nov 6 20:26:24 smm_response_handle_callback
Nov 6 20:26:24 Ack/Nack from dyn-prof-lib for session: 16. result-code:0
Nov 6 20:26:24 authFsmExecute: AUTH_PROFILE_UPDATE_ACK/NAK
Nov 6 20:26:24 AuthFsm::current state=AuthProfileUpdateWait(11) event=36
astEntry=0x8c6042c aaa msg=0
Nov 6 20:26:24 Auth-FSM: Handle client's dynamic profile update Ack. session-id:16
Nov 6 20:26:24 Auth-FSM: GRES-Mirror for session-id:16 state:AuthStateActive(9)
Nov 6 20:26:24 Sending Service Processed Response
Nov 6 20:26:24
====== Dynamic Service Response =======
Nov 6 20:26:24 smmResponseHandler 0
Nov 6 20:26:24 authd_build_aaa_request: Found dynRequest with cause 0
Nov 6 20:26:24 authd_dynreq_async_disconnect_send username:(foobar.0050.56bd.0035)
result:(1)
Nov 6 20:26:24 cookie:(4) server_id:(10.10.10.102) port(33991)remote_
addr:(10.10.10.102) remote_port:(33991)
Nov 6 20:26:24 authd_auth_aaa_msg_destroy
Nov 6 20:26:24 authd_auth_aaa_msg_destructauth_aaa_msg: 0x8b265c4
Nov 6 20:26:24 cleanServiceList: numRequests 0
Nov 6 20:26:24 ~DynamicRequestEntry
Summary
This chapter covered the SBR configuration required to initiate CoA
commands to change firewall filters on active sessions. The concept of
packing lists of attributes needed for firewall filter changes, the XML
format of deviceModels.xml, and the tagging of attributes within the
file were all detailed.
63
64
Also examined was how SBR retrieves the information needed to fill
out a CoA request from both the deviceModels.xml file and from the
current session table. Finally, it was noted that SBR and MX logging
can be helpful in debugging configuration errors.
With those concepts understood, lets put it all to use with self-service
portal that can now be developed using the SBRs XML over an
HTTPS API to allow an external web host to issue the same CoA
commands as the SBR GUI.
Chapter 5
Simple Web Portal
Loading XAMPP and the Startup of Apache on Windows. . . . . . . . . . . . . . . 67
Scripting the Self Service Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
radioButton.php and XML Envelopes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Testing the Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
SBR Logs for XML API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
66
Supported Juniper Networks Vendor-specific Attributes (VSAs) for Use with CoA
VSA
Attribute
Ingress-Policy-Name
Egress-Policy-Name
IGMP-Enable
LI-Action
Med-Dev-
Service-Statistics
IGMP-Access-Group-Name
MP-Access-Source-Group-Name
MLD-Access-Group-Name
MLD-Access-Source-Group-Name
MLD-Version
IGMP-Version
IGMP-Immediate-Leave
MLD-Immediate-Leave
IPv6-Ingress-Policy-Name
IPv6-Egress-Policy-Name
CoS-Shaping-Pmt-Type
Interface-Set-Name
Service-Interim-Acct-Interval
CoS-Scheduler-Pmt-Type
In this book, the focus is on changing the egress firewall filter, however,
if you examine the attribute list in Table 5.1, its clear that many other
actions can be performed. For the use case for this book, the subscriber
connects to the portal and the portal uses the IP address of the subscriber as the search criteria for the session in SBR. The portal has a simple
radio button selection for 2 M, 5M, or 10M service, as defined in deviceModels.xml (Chapter 4). Selecting the radio button will issue the XML
request to SBR using the API. As you can see, the web portal is very
simple:
67
68
After the installation is complete, XAMPP comes with a control panel that
must be started. The control panel allows quick and easy restarting of the
Apache service. To test Apache quickly, click on Start, and then using your
browser, type localhost in the Navigation Toolbar, and the XAMPP startup
window should appear.
NOTE
NOTE
Firewalls can also block Apache if theres issues starting or communicating with Apache, you might want to check here.
MORE? If you still have issues getting Apache to run, searching for your
problem in the XAMPP FAQ often can resolve it: http://www.apachefriends.org/en/faq-xampp.html.
69
70
The first line is used to set the $ip variable equal to the IP address of the
client coming to the web page, and the second line is the host name set
to $hostaddress, if available. These are displayed on the web page
using:
print
print
print
print
?>
"<strong>Hello:</strong><br />\n";
"$ip<br /><br />\n";
"<strong>Also Known as:</strong><br />\n";
"$hostaddress<br /><br />\n";
Finally, the order.php file is just the web page, including the line:
<FORM name="form" Method="Post" ACTION="radioButton.php"
This calls another script called radioButton.php, where the actual XML
over HTTPS API call is made. This ACTION sends the value associated
with the selected radio button to the radioButton.php script. The
values being Bronze, Silver or Gold, which equal firewall filters
police-2M, police-5M, and police-10M .
<input type="radio" align="abdmiddle" name="group1" value="Bronze">
Basic 2M
Service<br>
<input type="radio" align="absmiddle" name="group1" value="Silver" checked> Premium
5M Service<br>
<input type="radio" align="absmiddle" name="group1" value="Gold"> Ultimate 10M
Service<br><br>
<input type="submit" value="submit"><br><br><br>
variables and are part of radioButton.php. The file could be simplified, but
for ease of reading, they are listed individually. An XML envelope for the
API must be in the following format:
<envelope>
<header />
<body>
<request action='Boost10M'>
<attributes>
<attribute enabled='true' name='Framed-IP-Address'
value='$ip'/>
</attributes>
</request>
</body>
</envelope>
71
72
?>
73
74
If you select the Ultimate 10M Service radio button and submit the
resulting page should be as follows:
The radiobutton.php script will print the selected radio button from
the order.php page and also print in bold, Please Enjoy your new
service. Very cool.
12/06/2012 17:09:53.356
12/06/2012 17:09:53.356
12/06/2012 17:09:53.356
12/06/2012 17:09:53.356
reques|
12/06/2012 17:09:53.356
HTTP/1.1..Aut|
12/06/2012 17:09:53.356
Basi|
12/06/2012 17:09:53.356
cm9vdDpDYW1sYW|
12/06/2012 17:09:53.356
(2196):
(2196):
(2196):
(2196):
75
76
Host: 10|
12/06/2012 17:09:53.356
|.10.10.102:1813.|
12/06/2012 17:09:53.356
*/*..Co|
12/06/2012 17:09:53.356
Length: 19|
12/06/2012 17:09:53.356
Type:|
12/06/2012 17:09:53.356
application/x-w|
12/06/2012 17:09:53.356
urlencod|
12/06/2012 17:09:53.356
|ed....<envelope>|
12/06/2012 17:09:53.356
/>..<b|
12/06/2012 17:09:53.356
|ody>..<request a|
12/06/2012 17:09:53.356
|ction='Boost10M'|
12/06/2012 17:09:53.356
|>..<attributes>.|
12/06/2012 17:09:53.356
enab|
12/06/2012 17:09:53.356
name=|
12/06/2012 17:09:53.356
Addre|
12/06/2012 17:09:53.356
value='10.10|
12/06/2012 17:09:53.356
|.10.51'/>..</att|
12/06/2012 17:09:53.356
requ|
12/06/2012 17:09:53.356
body>..<|
12/06/2012 17:09:53.356
|
12/06/2012 17:09:53.356
12/06/2012 17:09:53.356
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
12/06/2012 17:09:53.376
user 'root'
12/06/2012 17:09:53.376
12/06/2012
12/06/2012
12/06/2012
12/06/2012
12/06/2012
bytes)
12/06/2012
17:09:53.376
17:09:53.377
17:09:53.377
17:09:53.377
17:09:53.377
(2196):
(2104):
(2104):
(2104):
(2104):
pausing stream
++++++ Request received from user ++++++
Request
(IP Address) Framed-IP-Address = '10.10.10.51' (4
In the raw request, the action Boost10M is identified along with the
actual request for Framed-IP-Address 10.10.10.51. The next section of
the log shows that the API looks up the attributes associated with the
Framed-IP-Address in the current session table:
12/06/2012
12/06/2012
12/06/2012
bytes)
12/06/2012
12/06/2012
12/06/2012
bytes)
12/06/2012
12/06/2012
12/06/2012
12/06/2012
(2104):
(2104):
(2104):
(2104):
Once SBR has looked up the session and can resolve the Acct-SessionId, it processes the CoA message using the packing list in deviceModels.xml. And youll see in the end, that the request is successful:
12/06/2012 17:09:53.377 (2104): ++++++ Request sent to device ++++++
12/06/2012 17:09:53.377 (2104): Change of Authorization Request Packet
12/06/2012 17:09:53.377 (2104): (String ) Acct-Session-Id = '48' (2 bytes)
12/06/2012 17:09:53.377 (2104): (String ) Unisphere-Egress-Policy-Name = 'police10M' (10 bytes)
12/06/2012 17:09:53.377 (2104): ------ End Request sent to device -----12/06/2012 17:09:53.377 (2104):
12/06/2012 17:09:53.377 (2104):
12/06/2012 17:09:53.377 (2104): started RADIUS request against target
'MX:RFC3576'
12/06/2012 17:09:53.377 (2084): formatting proxy request for target number 0
12/06/2012 17:09:53.377 (2084): proxy work has next scheduled send at time
1354831796
12/06/2012 17:09:53.377 (2084): calculated delay is 3000
12/06/2012 17:09:53.377 (2084): proxy target sequence processing:
12/06/2012 17:09:53.377 (2084): considering reference 0 =
target 0
12/06/2012 17:09:53.377 (2084): considering sending to
target 0
12/06/2012 17:09:53.377 (2084): not yet fast fail, wait for
response from this target
12/06/2012 17:09:53.377 (2084):
12/06/2012 17:09:53.385 (3107): received proxy response at time 1354831793
77
78
12/06/2012
12/06/2012
12/06/2012
successful
12/06/2012
12/06/2012
17:09:53.385 (2084):
17:09:53.385 (2084): ++++++ Response received from device ++++++
17:09:53.385 (2084): Transaction Result = session control request
17:09:53.385 (2084):
17:09:53.385 (2084): ------ End Response received from device ------
Finally, after a successful CoA against the MX, the MX sends a new
Acct Interim message with the new Egress-Policy-Name. Acct Interim
is Acct-Status-Type = 3, as bolded below:
12/06/2012 17:12:16.682
-----12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
|N.L.P..}.'.G.dN[|
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
|SBR2CL..........|
12/06/2012 17:12:16.682
|..4.............|
12/06/2012 17:12:16.682
|................|
12/06/2012 17:12:16.682
|................|
12/06/2012 17:12:16.682
|....... |
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
|5..=...PV..5..SR|
12/06/2012 17:12:16.682
|C-PC2<.MSFT 5.07|
12/06/2012 17:12:16.682
|.....,./.!y.+ |
12/06/2012 17:12:16.682
0050.56bd.0035
12/06/2012 17:12:16.682
10M
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
12/06/2012 17:12:16.682
(3102): ----------------------------------------------------(3102):
(3102):
(3102):
(3102):
(3102):
(3102):
(3102):
Accounting Request
Received from IpAddr=10.10.10.101 Port=62354
Packet Code=0x04 Id=0xef
Client Name="MX"
Dictionary Name="unisphereMX11-2.dct"
Vector =
000: 4e d0 4c fb 50 0d c3 7d c2 27 c7 47 e0 64 4e 5b
(3102):
(3102):
(3102):
(3102):
(3102):
(3102):
(3102):
(3102):
(3102):
(3102):
Parsed Packet :
User-Name : String Value = foobar.0050.56bd.0035
Acct-Status-Type : Integer Value = 3
Acct-Session-Id : String Value = 48
Acct-Session-Time : Integer Value = 70806
Service-Type : Integer Value = 2
Acct-Authentic : Integer Value = 1
Acct-Delay-Time : Integer Value = 0
Class : Value =
000: 53 42 52 32 43 4c fd af fa 88 a7 ea ff d0 c2 80
(3102): 010: 11 80 34 01 80 02 81 98 80 02 80 18 81 a3 93 e9
(3102): 020: f4 92 85 a4 ae 98 8c 86 d3 81 b8 ea b6 a1 91 85
(3102): 030: e3 81 c0 e6 b5 12 80 0e 81 fd af fa 88 a1 c4 87
(3102): 040: c0 a8 80 80 80 80 9c
(3102): Unisphere-Dhcp-Options : Value =
(3102): 000: 35 01 01 3d 07 01 00 50 56 bd 00 35 0c 07 53 52
(3102): 010: 43 2d 50 43 32 3c 08 4d 53 46 54 20 35 2e 30 37
(3102): 020: 0c 01 0f 03 06 2c 2e 2f 1f 21 79 f9 2b
(3102): Unisphere-Dhcp-Mac-Addr : String Value =
(3102): Unisphere-Egress-Policy-Name : String Value = police(3102): Event-Timestamp : Integer Value = 1354815559
(3102): Framed-IP-Address : IPAddress = 10.10.10.51
(3102): Framed-IP-Netmask : IPAddress = 255.255.255.0
12/06/2012
2M
12/06/2012
12/06/2012
12/06/2012
12/06/2012
12/06/2012
12/06/2012
------
(3102):
(3102):
(3102):
(3102):
(3102):
(3102):
Summary
Congratulations, you made it to the end of the book! Hopefully you
grasp the fundamentals of how CoA can be used to affect the characteristics of a dynamic profile used in subscriber management on the
MX, in addition to how SBR can be used along with web services to
invoke those CoA requests.
You should also have learned some new debugging techniques using
log files on both SBR and the MX, as well as some techniques on how
to configure the SBR for various CoA actions, as a part of reading this
book..
Our intent was to get a simple self-service web portal active, which
allows a subscriber to change the characteristics of their session. There
are many other use cases that can be developed using the fundamentals
presented. For instance, that self-service portal could easily become a
provisioning system, a captive portal, or even become an external
system like a video-on-demand server that could issue CoAs to make
the subscriber session conform to the requirements of the server.
I couldnt cover it all, so please, use this book as a I didnt know I
could do that. And then get in the lab. As always, there is a lot more
technical documentation available on www.juniper.net/techpubs for you
to read through, as well as the companion Day One book to this one
Day One: Dynamic Subscriber Management.
I hope this book was helpful and that you have fun with this it. John Rolfe
79
80