Thanks for that... this is quite lengthy below, apologies for it being so long.
When I say "doesn’t work" this is what I have to share below. Juniper is
telling me that I should see the policy attached to the interface itself (which
seems strange to me given that it's on a per subscriber basis). When I get
connected I have no problems doing 100Mbs for sustained periods of time.
Appreciate it,
Paul
FreeRadius Configuration:
pstewart Auth-Type = System
Service-Type = Framed-User,
Framed-IP-Address = xx.xxx.58.253,
Framed-MTU = 1500,
ERX-Ingress-Policy-Name = lite,
ERX-Egress-Policy-Name = lite
Debug output:
DEBUG 10/06/2011 13:56:46 radiusClient: buildAuthRequest: building User Auth
Request
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ACCESS-REQUEST attributes
(default)
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: username attr added:
[email protected]
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-session-id attr
added: 0003145754
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: user-password attr added:
<value withheld>
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: service-type attr added: 2
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-protocol attr
added: 1
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: pppoe-description (vsa)
attr added: pppoe 00:22:19:f9:f1:b3
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: calling-station-id attr
added: #acc1.millbrook1#E14#80
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port-type attr added:
15
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port attr added:
335544400
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port-id attr added:
GigabitEthernet 1/4.80:80
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-ip-address attr added:
76.75.100.74
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-identifier attr added:
acc1.millbrook1
DEBUG 10/06/2011 13:56:46 radiusClient: sendPacket: RADIUS Access packet sent
(default)
DEBUG 10/06/2011 13:56:46 radiusClient: processGoodAuthResponse enter:
DEBUG 10/06/2011 13:56:46 radiusAttributes: USER ATTRIBUTES:
([email protected])
DEBUG 10/06/2011 13:56:46 radiusAttributes: service type attr: 2
DEBUG 10/06/2011 13:56:46 radiusAttributes: total eap message attr length = 0
DEBUG 10/06/2011 13:56:46 radiusAttributes: framed IP address attr:
xx.xxx.58.253
DEBUG 10/06/2011 13:56:46 radiusAttributes: ingress policy name (vsa)
attr: lite
DEBUG 10/06/2011 13:56:46 radiusAttributes: egress policy name (vsa) attr:
lite
DEBUG 10/06/2011 13:56:46 radiusAttributes: getStandardTunnelAttributes: No
tunnel type attributes found - skipping all other attributes
INFO 10/06/2011 13:56:46 aaaUserAccess: User: [email protected]; id:
GigabitEthernet 1/4.80:80, access granted
NOTICE 10/06/2011 13:56:46 ppp (interface GigabitEthernet1/4.80.1):
Authenticate grant - requestId = 14, sessionId = 3145754, message =
DEBUG 10/06/2011 13:56:46 radiusClient: buildAcctRequest: building User Acct
Request
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ACCOUNTING-REQUEST attributes
(default)
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-status-type attr
added: 1
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: username attr added:
[email protected]
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: event-timestamp attr
added: 1317909406
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-delay-time attr
added: 0
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-identifier attr added:
acc1.millbrook1
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-session-id attr
added: 0003145754
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-ip-address attr added:
xx.xx.100.74
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: service-type attr added: 2
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-protocol attr
added: 1
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-compression attr
added: 0
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: pppoe-description (vsa)
attr added: pppoe 00:22:19:f9:f1:b3
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-ip-address attr
added: xx.xxx.58.253
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-ip-netmask attr
added: 255.255.255.255
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ingress-policy-name (vsa)
attr added: lite
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: egress-policy-name (vsa)
attr added: lite
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: calling-station-id attr
added: #acc1.millbrook1#E14#80
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port-type attr added:
15
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port attr added:
335544400
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port-id attr added:
GigabitEthernet 1/4.80:80
DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-authentic attr added:
1
DEBUG 10/06/2011 13:56:46 radiusClient: buildAcctRequest: returning success
DEBUG 10/06/2011 13:56:46 radiusClient: sendPacket: RADIUS Acct packet sent
(default)
INFO 10/06/2011 13:56:46 ppp: Downstream buffer sent on slot 1
INFO 10/06/2011 13:56:46 ppp: Downstream buffer sent on slot 1
INFO 10/06/2011 13:56:46 ppp: Upstream buffer received on slot 1
INFO 10/06/2011 13:56:47 ppp: Downstream buffer sent on slot 1
INFO 10/06/2011 13:56:47 ppp: Downstream buffer sent on slot 1
acc1.millbrook1#show subscribers
Subscriber List
---------------
Virtual
User Name Type Addr|Endpt Router
------------------------ ----- -------------------- ------------
[email protected] ppp xx.xxx.58.253/radius default
User Name Interface
------------------------ --------------------------------
[email protected] GigabitEthernet 1/4.80:80
User Name Login Time Circuit Id
------------------------ ------------------- ----------------
[email protected] 11/10/06 09:56:46
User Name Remote Id
------------------------ ----------------
[email protected]
acc1.millbrook1#show ip route xx.xxx.58.253
Protocol/Route type codes:
I1- ISIS level 1, I2- ISIS level2,
I- route type intra, IA- route type inter, E- route type external,
i- metric type internal, e- metric type external,
P- periodic download, O- OSPF, E1- external type 1, E2- external type2,
N1- NSSA external type1, N2- NSSA external type2
L- MPLS label, V- VRF, *- via indirect next-hop
Prefix/Length Type Next Hop Dst/Met Interface
------------------ --------- --------------- ---------- -----------------------
xx.xxx.58.253/32 AccIntern 0.0.0.0 2/0 GigabitEthernet1/4.80.1
acc1.millbrook1#show classifier-list
Classifier Control List Table
---------- ------- ---- -----
IP lite.1 ip any any
acc1.millbrook1#show rate-limit-profile lite
Rate Limit Profile Table
---- ----- ------- -----
IP Rate-Limit-Profile: lite
Profile Type: one-rate
Reference count: 1
Committed rate: 128000
Committed burst: 50 milliseconds
Excess burst: 100 milliseconds
Mask: 255
Committed rate action: transmit
Conformed rate action: transmit
Exceeded rate action: drop
acc1.millbrook1#show policy-list lite
Policy Table
------ -----
IP Policy lite
Administrative state: enable
Reference count: 0
Classifier control list: lite, precedence 100
rate-limit-profile lite
forward
acc1.millbrook1#show ip interface gigabitEthernet1/4.80.1
GigabitEthernet1/4.80.1 line protocol Ppp is up, ip is up
Network Protocols: IP
Unnumbered Interface on loopback0
( IP address xx.xx.100.74 )
Operational MTU = 1380 Administrative MTU = 0
Operational speed = 1000000000 Administrative speed = 0
Discontinuity Time = 219518
Router advertisement = disabled
Proxy Arp = disabled
ARP spoof checking = enabled
Network Address Translation is disabled
TCP MSS Adjustment = disabled
Administrative debounce-time = disabled
Operational debounce-time = disabled
Access routing = enabled: Using xx.xxx.58.253
Multipath mode = hashed
Auto Configure = disabled
Auto Detect = disabled
Re-Authenticate Auto Detect = disabled
Append virtual-router name with DSI = disabled
Inactivity Timer = disabled
Use Framed Routes = disabled
Warm-restart initial-sequence-preference: Operational = 0 Administrative = 0
In Received Packets 261076, Bytes 234486612
Unicast Packets 259711, Bytes 234346269
Multicast Packets 1365, Bytes 140343
In Policed Packets 0, Bytes 0
In Error Packets 0
In Invalid Source Address Packets 0
In Discarded Packets 718
Out Forwarded Packets 262368, Bytes 242535813
Unicast Packets 262368, Bytes 242535813
Multicast Routed Packets 0, Bytes 0
Out Scheduler Dropped Packets 0, Bytes 0
Out Policed Packets 0, Bytes 0
Out Discarded Packets 1
queue 0: traffic class best-effort, bound to ip GigabitEthernet1/4.80.1
Queue length 0 bytes
Forwarded packets 262368, bytes 250406865
Dropped committed packets 0, bytes 0
Dropped conformed packets 0, bytes 0
Dropped exceeded packets 0, bytes 0
-----Original Message-----
From: Bjørn Mork [mailto:[email protected]]
Sent: Thursday, October 20, 2011 1:24 PM
To: Paul Stewart
Cc: [email protected]
Subject: Re: [j-nsp] FreeRadius/ERX Question
"Paul Stewart" <[email protected]> writes:
> We are trying to get a "lite profile" working on ERX platform for
> PPPOE clients. This would restrict their download/upload speeds on a
> per user basis via Radius attributes.
>
>
>
> I have a ticket running at JTAC now for a long time on this - they
> have now come back and told me I must run Unisphere attributes instead
> of ERX attributes from Radius. We are using FreeRadius FYI.
They are probably referring to their official Steel-Belted Radius dictionary,
which names the attributes like that. See e.g
http://www.juniper.net/techpubs/software/junos/junos112/radius-dictionary/unisphereDictionary_for_JUNOS_v11-2.dct
(for some reason the JUNOSe dictionary links now requires login while the one
JUNOS dictionaries still can be downloaded by anyone, including the above
"vendorid 4874" one, which applies to both the ERX and the MX subscriber
platform. Strange).
> Am I doing something wrong here? I checked and all the dictionary
> files appear to be intact including those attributes . seems like a
> FreeRadius issue possibly.
The default FreeRADIUS dictionary use the "ERX" prefix everywhere, regardless
of whether Juniper uses "Unisphere", "ERX" or the recent "Jnpr" prefix. I am
not sure which solution is least confusing. But I do not fancy having a mix of
vendor prefixes in the same vendor specific dictionary. And Terje started the
show by changing the "Unisphere" names to "ERX" int the first place. So when I
recently sent an update to FreeRADIUS for the attributes added in JUNOS 11.2, I
chose to continue using the ERX prefix despite Juniper using "Jnpr".
Anyway, if in doubt, check the actual attribute numbers.
> Anyone else doing something similar? Are you using these attributes?
> When we use ERX-Ingress-Policy-Name we can see the policy appearing on
> a debug with the ERX box but it doesn't work.
ERX-Ingress-Policy-Name is correct.
Define "doesn't work". It is supposed to work.
Bjørn
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
