We have a very similar setup (for some obvious reason) and it works just
fine. We use Framed-IP-Address. No other attributes are required.
What I suggest is that you try the "test aaa" command in the ERX and try
to test the login that way from the console and see what's going on.
-Gabe
On 08/15/2011 11:25 AM, Paul Stewart wrote:
Thanks very much.. I appreciate the input from the list.
The profile looks like this currently:
profile test
ip virtual-router default
ip unnumbered loopback 0
ip mtu 1492
ip sa-validate
ip tcp adjust-mss 1460
ppp authentication virtual-router default pap
ppp keepalive 120
ppp fragmentation
ppp reassembly
vlan auto-configure pppoe
Is there anything "obvious" wrong with this? I read in the docs somewhere
about an option to explicitly permit Radius to assign a subnet to a customer
- is there a similar statement required to statically assign a single host
address (bearing in mind that dynamic addresses are coming from a local
pool)
Would the ERX-Local-Interface be the Loopback0 interface in my case? It has
an IP address assigned to it that is reachable etc.
Thanks,
Paul
From: Chris Hellberg [mailto:[email protected]]
Sent: Saturday, August 13, 2011 8:56 AM
To: Paul Stewart; [email protected]
Subject: Re: [j-nsp] Radius - Static IP / ERX
It might be because you don't have an ERX-Local-Interface VSA present. If
that doesn't work, double-check that it's in your profile. There're one or
two unexpected cases that you need to have the unumbered loopback interface
information explicitly configured. The framed netmask shouldn't be needed.
Regards,
Chris
_____
From: Paul Stewart<[email protected]>
To: [email protected]
Sent: Friday, 12 August 2011, 1:35
Subject: Re: [j-nsp] Radius - Static IP / ERX
Thanks.. yeah the MTU statement is legacy and in place for some other Radius
authentications....;)
I thought our entries had the Framed-IP-Netmask in them so will have to
check again as you're right it's not there obviously... wouldn't think that
would stop the IP from getting assigned but could be wrong...
Take care,
Paul
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Chris Adams
Sent: August-11-11 2:26 PM
To: [email protected]
Subject: Re: [j-nsp] Radius - Static IP / ERX
Once upon a time, Paul Stewart<[email protected]> said:
Getting ready to cut an ERX into production shortly and the only thing not
working is static IP assignments via Radius. According to the docs, you
can
use "Framed-IP-Address" the same as we do in Cisco land today.. but it
doesn't' work.
Your example entry doesn't have a Framed-IP-Netmask set, which may be
required.
Also, Framed-MTU is pretty much useless; since PPP is already negotiated
before RADIUS authentication occurs, link MTU is already established
before your Framed-MTU entry can have any affect (this has always been
the case with PPP+RADIUS, but lots of examples show Framed-MTU anyway).
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
