Thanks Gabe - really appreciate the feedback. I have been trying to avoid the service management license :) It definitely has a number of cool features though...
I have to question the cost of the service manager license into a platform that has 5 years or less left in it although it's really not expensive, it's just the point of it ;) Take care, Paul -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Gabriel Blanchard Sent: Thursday, October 20, 2011 2:33 PM To: [email protected] Subject: Re: [j-nsp] FreeRadius/ERX Question I would use the service manager. I've run into the same issue and i've never managed to make it work using the ingress/egress filters. You can do some really cool things with it, such as adjusting a single pppoe session on the fly (without having the user disconnect) using radius initiated change of authorizations. http://www.juniper.net/techpubs/software/erx/junose60/swconfig-broadband/html/radius-dynamic-request7.html You can also redirect the user to a web page, again on the fly..say they go over there usage limit Here's a few examples http://www.juniper.net/techpubs/en_US/junose9.3/information-products/topic-collections/broadband-access/service-definition-examples.html Only thing is, you will need the service management license. Gabriel Blanchard Director, Information Technology TekSavvy Solutions On 11-10-20 01:40 PM, Paul Stewart wrote: > Thanks for that... this is quite lengthy below, apologies for it being so > long. > > When I say "doesn’t work" this is what I have to share below. Juniper is > telling me that I should see the policy attached to the interface itself > (which seems strange to me given that it's on a per subscriber basis). When > I get connected I have no problems doing 100Mbs for sustained periods of time. > > Appreciate it, > > Paul > > > FreeRadius Configuration: > > pstewart Auth-Type = System > Service-Type = Framed-User, > Framed-IP-Address = xx.xxx.58.253, > Framed-MTU = 1500, > ERX-Ingress-Policy-Name = lite, > ERX-Egress-Policy-Name = lite > > Debug output: > > DEBUG 10/06/2011 13:56:46 radiusClient: buildAuthRequest: building > User Auth Request DEBUG 10/06/2011 13:56:46 radiusSendAttributes: > ACCESS-REQUEST attributes (default) > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: username attr added: > [email protected] > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-session-id attr > added: 0003145754 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: user-password attr > added:<value withheld> > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: service-type attr added: > 2 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-protocol attr > added: 1 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: pppoe-description (vsa) > attr added: pppoe 00:22:19:f9:f1:b3 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: calling-station-id attr > added: #acc1.millbrook1#E14#80 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port-type attr > added: 15 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port attr added: > 335544400 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port-id attr added: > GigabitEthernet 1/4.80:80 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-ip-address attr > added: 76.75.100.74 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-identifier attr > added: acc1.millbrook1 > DEBUG 10/06/2011 13:56:46 radiusClient: sendPacket: RADIUS Access > packet sent (default) DEBUG 10/06/2011 13:56:46 radiusClient: > processGoodAuthResponse enter: > DEBUG 10/06/2011 13:56:46 radiusAttributes: USER ATTRIBUTES: > ([email protected]) > DEBUG 10/06/2011 13:56:46 radiusAttributes: service type attr: 2 > DEBUG 10/06/2011 13:56:46 radiusAttributes: total eap message attr length = 0 > DEBUG 10/06/2011 13:56:46 radiusAttributes: framed IP address attr: > xx.xxx.58.253 > DEBUG 10/06/2011 13:56:46 radiusAttributes: ingress policy name (vsa) > attr: lite > DEBUG 10/06/2011 13:56:46 radiusAttributes: egress policy name (vsa) > attr: lite > DEBUG 10/06/2011 13:56:46 radiusAttributes: > getStandardTunnelAttributes: No tunnel type attributes found - > skipping all other attributes INFO 10/06/2011 13:56:46 aaaUserAccess: > User: [email protected]; id: GigabitEthernet 1/4.80:80, access > granted NOTICE 10/06/2011 13:56:46 ppp (interface GigabitEthernet1/4.80.1): > Authenticate grant - requestId = 14, sessionId = 3145754, message = DEBUG > 10/06/2011 13:56:46 radiusClient: buildAcctRequest: building User Acct > Request DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ACCOUNTING-REQUEST > attributes (default) > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-status-type attr > added: 1 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: username attr added: > [email protected] > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: event-timestamp attr > added: 1317909406 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-delay-time attr > added: 0 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-identifier attr > added: acc1.millbrook1 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-session-id attr > added: 0003145754 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-ip-address attr > added: xx.xx.100.74 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: service-type attr added: > 2 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-protocol attr > added: 1 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-compression attr > added: 0 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: pppoe-description (vsa) > attr added: pppoe 00:22:19:f9:f1:b3 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-ip-address attr > added: xx.xxx.58.253 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: framed-ip-netmask attr > added: 255.255.255.255 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: ingress-policy-name > (vsa) attr added: lite > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: egress-policy-name (vsa) > attr added: lite > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: calling-station-id attr > added: #acc1.millbrook1#E14#80 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port-type attr > added: 15 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port attr added: > 335544400 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: nas-port-id attr added: > GigabitEthernet 1/4.80:80 > DEBUG 10/06/2011 13:56:46 radiusSendAttributes: acct-authentic attr > added: 1 > DEBUG 10/06/2011 13:56:46 radiusClient: buildAcctRequest: returning > success DEBUG 10/06/2011 13:56:46 radiusClient: sendPacket: RADIUS > Acct packet sent (default) INFO 10/06/2011 13:56:46 ppp: Downstream > buffer sent on slot 1 INFO 10/06/2011 13:56:46 ppp: Downstream buffer > sent on slot 1 INFO 10/06/2011 13:56:46 ppp: Upstream buffer received > on slot 1 INFO 10/06/2011 13:56:47 ppp: Downstream buffer sent on slot > 1 INFO 10/06/2011 13:56:47 ppp: Downstream buffer sent on slot 1 > > acc1.millbrook1#show subscribers > Subscriber List > --------------- > Virtual > User Name Type Addr|Endpt Router > ------------------------ ----- -------------------- ------------ > [email protected] ppp xx.xxx.58.253/radius default > User Name Interface > ------------------------ -------------------------------- > [email protected] GigabitEthernet 1/4.80:80 > User Name Login Time Circuit Id > ------------------------ ------------------- ---------------- > [email protected] 11/10/06 09:56:46 > User Name Remote Id > ------------------------ ---------------- > [email protected] > > > acc1.millbrook1#show ip route xx.xxx.58.253 Protocol/Route type codes: > I1- ISIS level 1, I2- ISIS level2, > I- route type intra, IA- route type inter, E- route type external, > i- metric type internal, e- metric type external, > P- periodic download, O- OSPF, E1- external type 1, E2- external type2, > N1- NSSA external type1, N2- NSSA external type2 > L- MPLS label, V- VRF, *- via indirect next-hop > > Prefix/Length Type Next Hop Dst/Met Interface > ------------------ --------- --------------- ---------- > ----------------------- > xx.xxx.58.253/32 AccIntern 0.0.0.0 2/0 > GigabitEthernet1/4.80.1 > > > acc1.millbrook1#show classifier-list > > Classifier Control List Table > ---------- ------- ---- ----- IP lite.1 ip > any any > > > acc1.millbrook1#show rate-limit-profile lite > > Rate Limit Profile Table > ---- ----- ------- ----- IP > Rate-Limit-Profile: lite > Profile Type: one-rate > Reference count: 1 > Committed rate: 128000 > Committed burst: 50 milliseconds > Excess burst: 100 milliseconds > Mask: 255 > Committed rate action: transmit > Conformed rate action: transmit > Exceeded rate action: drop > > > > acc1.millbrook1#show policy-list lite > > Policy Table > ------ ----- IP Policy lite > Administrative state: enable > Reference count: 0 > Classifier control list: lite, precedence 100 > rate-limit-profile lite > forward > > > acc1.millbrook1#show ip interface gigabitEthernet1/4.80.1 > GigabitEthernet1/4.80.1 line protocol Ppp is up, ip is up > Network Protocols: IP > Unnumbered Interface on loopback0 > ( IP address xx.xx.100.74 ) > Operational MTU = 1380 Administrative MTU = 0 > Operational speed = 1000000000 Administrative speed = 0 > Discontinuity Time = 219518 > Router advertisement = disabled > Proxy Arp = disabled > ARP spoof checking = enabled > Network Address Translation is disabled > TCP MSS Adjustment = disabled > Administrative debounce-time = disabled > Operational debounce-time = disabled > Access routing = enabled: Using xx.xxx.58.253 > Multipath mode = hashed > Auto Configure = disabled > Auto Detect = disabled > Re-Authenticate Auto Detect = disabled > Append virtual-router name with DSI = disabled > Inactivity Timer = disabled > Use Framed Routes = disabled > Warm-restart initial-sequence-preference: Operational = 0 Administrative = > 0 > > In Received Packets 261076, Bytes 234486612 > Unicast Packets 259711, Bytes 234346269 > Multicast Packets 1365, Bytes 140343 > In Policed Packets 0, Bytes 0 > In Error Packets 0 > In Invalid Source Address Packets 0 > In Discarded Packets 718 > Out Forwarded Packets 262368, Bytes 242535813 > Unicast Packets 262368, Bytes 242535813 > Multicast Routed Packets 0, Bytes 0 > Out Scheduler Dropped Packets 0, Bytes 0 > Out Policed Packets 0, Bytes 0 > Out Discarded Packets 1 > > queue 0: traffic class best-effort, bound to ip GigabitEthernet1/4.80.1 > Queue length 0 bytes > Forwarded packets 262368, bytes 250406865 > Dropped committed packets 0, bytes 0 > Dropped conformed packets 0, bytes 0 > Dropped exceeded packets 0, bytes 0 > > -----Original Message----- > From: Bjørn Mork [mailto:[email protected]] > Sent: Thursday, October 20, 2011 1:24 PM > To: Paul Stewart > Cc: [email protected] > Subject: Re: [j-nsp] FreeRadius/ERX Question > > "Paul Stewart"<[email protected]> writes: > >> We are trying to get a "lite profile" working on ERX platform for >> PPPOE clients. This would restrict their download/upload speeds on a >> per user basis via Radius attributes. >> >> >> >> I have a ticket running at JTAC now for a long time on this - they >> have now come back and told me I must run Unisphere attributes instead >> of ERX attributes from Radius. We are using FreeRadius FYI. > They are probably referring to their official Steel-Belted Radius dictionary, > which names the attributes like that. See e.g > > http://www.juniper.net/techpubs/software/junos/junos112/radius-dictionary/unisphereDictionary_for_JUNOS_v11-2.dct > > (for some reason the JUNOSe dictionary links now requires login while the one > JUNOS dictionaries still can be downloaded by anyone, including the above > "vendorid 4874" one, which applies to both the ERX and the MX subscriber > platform. Strange). > >> Am I doing something wrong here? I checked and all the dictionary >> files appear to be intact including those attributes . seems like a >> FreeRadius issue possibly. > The default FreeRADIUS dictionary use the "ERX" prefix everywhere, regardless > of whether Juniper uses "Unisphere", "ERX" or the recent "Jnpr" prefix. I am > not sure which solution is least confusing. But I do not fancy having a mix > of vendor prefixes in the same vendor specific dictionary. And Terje started > the show by changing the "Unisphere" names to "ERX" int the first place. So > when I recently sent an update to FreeRADIUS for the attributes added in > JUNOS 11.2, I chose to continue using the ERX prefix despite Juniper using > "Jnpr". > > Anyway, if in doubt, check the actual attribute numbers. > >> Anyone else doing something similar? Are you using these attributes? >> When we use ERX-Ingress-Policy-Name we can see the policy appearing on >> a debug with the ERX box but it doesn't work. > ERX-Ingress-Policy-Name is correct. > > Define "doesn't work". It is supposed to work. > > > Bjørn > > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
