For example, I will configure the Juniper MX204 to work with the ABillS billing system.
Copy the purchased module to the billing directory:
cp Mx802.pm /usr/abills/Abills/mysql
In the configuration file config.pl after the sections %AUTH = (); %ACCT = (); I pointed:
$AUTH{mx80} = 'Mx802';
$ACCT{mx80} = 'Mx802';
For authorization by MAC address, I specified:
$conf{MX80_MAC_AUTH}=1;
Since I compiled FreeRadius 3.0.23, the following attributes did not have to be changed as described in the ABillS documentation, since they were already in this form:
dictionary.erx
ATTRIBUTE ERX-Dhcp-Options 55 octets
dictionary.rfc4679
ATTRIBUTE ADSL-Agent-Circuit-Id 1 octets
ATTRIBUTE ADSL-Agent-Remote-Id 2 octets
I note that you need to add your attributes to the /usr/local/freeradius/etc/raddb/dictionary file, this file also does not contain INCLUDE for other dictionaries, since starting from FreeRadius 3.0.2, they are automatically loaded from the /usr/local/freeradius/share/freeradius/ directory.
In the menu Settings>Access Server I added an access server:
IP:
Name:
Type: mx80
Alive: 600
IP:x.x.x.x
POD/COA:3799
SNMP:161
SSH:22
User: abills_admin
Password: same for SNMP and SSH
I also added RADIUS Parameters to it (it is better to specify your local caching DNS servers):
MS-Primary-DNS-Server=8.8.8.8,
MS-Secondary-DNS-Server=1.1.1.1,
Session-Timeout=0,
After adding the access server, you need to restart FreeRadius, otherwise it will swear at it with an unknown client error.
For all guest clients, for example, without money, disconnected or unknown, etc., in the tariff settings I specified the IP Pool of a negative deposit (you can specify one for all access servers), and in the “Negative deposit filter” field you can specify arbitrary Radius parameters , eg:
RAD: ERX-Ingress-Policy-Name=svc-filter-in-nomoney, ERX-Egress-Policy-Name=1Mbps
If different access servers are used together with Juniper, for example Accel-ppp, then for guest clients this attribute will be sent to them too, this will not be a problem, Accel-ppp logs will simply have entries:
radius:packet: vendor 26 not found
I will give an example of an SQL query for mass changing the “Negative deposit filter” field:
UPDATE tarif_plans SET neg_deposit_filter_id='RAD: ERX-Ingress-Policy-Name=svc-filter-in-nomoney, ERX-Egress-Policy-Name=1Mbps' WHERE neg_deposit_filter_id='RAD: ERX-Egress-Policy-Name=1Mbps' AND module='Internet';
Or is it better not to specify these parameters in the “Negative deposit filter” field, but to specify the filter names in the ABillS configuration file (you can also specify the same filter for all):
$conf{MX80_PROFILES}='
WRONG_PASS:svc-guest-ipoe(svc-filter-in-wrongpassword);
NEG_DEPOSIT:svc-guest-ipoe(svc-filter-in-nomoney);
AUTH_ERROR:svc-guest-ipoe(svc-filter-in-unknownerror);
USER_NOT_EXIST:svc-guest-ipoe(svc-filter-in-notregister);
NOT_ALLOW_SERVICE:svc-guest-ipoe(svc-filter-in-notallowservice);
DISABLE:svc-guest-ipoe(svc-filter-in-disable);
WRONG_PORT:svc-guest-ipoe(svc-filter-in-wrongport);
WRONG_CID:svc-guest-ipoe(svc-filter-in-wrongcid);
';
I described the initial setup of Juniper in the article:
Juniper MX204 setup
Be sure to activate the subscriber management function (without this, authentication will not be performed and requests will not be sent to Radius):
set chassis network-services enhanced-ip
set system services subscriber-management enable
set system configuration-database max-db-size 300М
commit
request system reboot
show subscribers address 172.16.5.210 detail
show system subscriber-management route
show system subscriber-management summary
show system processes | grep libexec[36]
On devices with more than 32 Gb of memory, you can not specify the size of the memory for the configuration so that JunOS automatically selects a value, after which the value will be 698343424:
delete system configuration-database max-db-size
request system reboot
See also my article:
JunOS dyn prof: failed to register error
Continuing the configuration, we will create a filter named 1Mbps, which will limit the speed of guest users:
set firewall family inet filter 1Mbps interface-specific term 1 then policer 1Mbps accept
set firewall policer 1Mbps if-exceeding bandwidth-limit 1m burst-size-limit 128k
set firewall policer 1Mbps then discard
We will also create a filter that will allow access only to the specified IP addresses and ports, and also redirect http traffic to the “captive portal” stub page (on which you can write arbitrary information and a link to personal account):
set firewall family inet filter svc-filter-in-nomoney interface-specific
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-prefix-list WhiteListHosts
set firewall family inet filter svc-filter-in-nomoney term 1 from protocol [ tcp udp ]
set firewall family inet filter svc-filter-in-nomoney term 1 from destination-port [ 80 443 53 67 68 81 82 9443 ]
set firewall family inet filter svc-filter-in-nomoney term 1 then accept
set firewall family inet filter svc-filter-in-nomoney term 2 from protocol tcp destination-port 80
set firewall family inet filter svc-filter-in-nomoney term 2 then routing-instance neg_dep
set firewall family inet filter svc-filter-in-nomoney term default then discard
edit policy-options prefix-list WhiteListHosts
set 10.20.0.1
set 10.20.0.5
set routing-instances neg_dep instance-type forwarding routing-options static route 0.0.0.0/0 next-hop 192.168.99.5
Let’s create a dynamic profile for the VLAN (VLAN interfaces will look like ae0.3222119914):
edit dynamic-profiles VLAN-IPOE
set routing-instances "$junos-routing-instance" interface "$junos-interface-name"
edit interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit"
set demux-source inet
set no-traps
set proxy-arp restricted
set vlan-id "$junos-vlan-id"
set family inet unnumbered-address "$junos-loopback-interface"
Another example of a dynamic profile for VLAN (VLAN interfaces will look like demux0.3222014310):
edit dynamic-profiles Auto-VLAN-Demux
set routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set interfaces demux0 unit "$junos-interface-unit" demux-source inet
set interfaces demux0 unit "$junos-interface-unit" no-traps
set interfaces demux0 unit "$junos-interface-unit" proxy-arp restricted
set interfaces demux0 unit "$junos-interface-unit" vlan-id "$junos-vlan-id"
set interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-interface-ifd-name"
set interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
Let’s assign it to the interface towards clients, for example ae0, so that VLANs are raised automatically (in the ranges we indicate for which VLANs it should work):
set ae0 auto-configure vlan-ranges dynamic-profile VLAN-IPOE accept dhcp-v4
set ae0 auto-configure vlan-ranges dynamic-profile VLAN-IPOE ranges 220-221
set ae0 auto-configure vlan-ranges dynamic-profile VLAN-IPOE ranges 777-780
Then I added a dynamic profile for users:
edit dynamic-profiles DHCP-IP-Demux interfaces demux0
set unit $junos-interface-unit proxy-arp restricted
set unit $junos-interface-unit no-traps
set unit $junos-interface-unit demux-options underlying-interface $junos-underlying-interface
set unit $junos-interface-unit family inet demux-source $junos-subscriber-ip-address
set unit $junos-interface-unit family inet unnumbered-address lo0.0 preferred-source-address 10.10.0.3
set unit $junos-interface-unit family inet unnumbered-address "$junos-loopback-interface" preferred-source-address "$junos-preferred-source-address"
edit dynamic-profiles DHCP
set routing-instances "$junos-routing-instance" interface "$junos-interface-name"
exit
We will also configure RPF in this profile, see an example in my article:
Configuring RPF in Dynamic Profiles
Rename profiles if possible like this:
rename dynamic-profiles DHCP-IP-Demux to ixnfo.com
Now we will specify this profile to the local DHCP server in Juniper, and also run DHCP on the demux0 interface (custom sub-interfaces will be created like demux0.xxxxx):
edit system services dhcp-local-server
set pool-match-order external-authority
set authentication username-include mac-address
set group all dynamic-profile DHCP-IP-Demux
set group all interface demux0.0
set group all interface ae0.0
You can enable verbose DHCP logs (and disable later so as not to spoil the device’s memory, since a lot of information will be recorded):
edit system processes dhcp-service traceoptions
set file dhcp_logfile size 10m
set level warning
set flag packet
commit
show log dhcp_logfile | last 100
edit edit system processes dhcp-service
delete traceoptions
commit
You can also monitor DHCP traffic on the interface:
monitor traffic interface XXX size 1500 no-resolve detail matching udp
Now let’s create a dynamic profile for regular work sessions:
edit dynamic-profiles svc-global-ipoe
set variables SPEED_IN mandatory
set variables SPEED_OUT mandatory
set variables INET_IN uid
set variables INET_OUT uid
set variables POLICER_IN uid
set variables POLICER_OUT uid
set interfaces demux0 unit "$junos-interface-unit" family inet filter input "$INET_IN"
set interfaces demux0 unit "$junos-interface-unit" family inet filter input precedence 50
set interfaces demux0 unit "$junos-interface-unit" family inet filter output "$INET_OUT"
set interfaces demux0 unit "$junos-interface-unit" family inet filter output precedence 50
set firewall family inet filter "$INET_IN" interface-specific
set firewall family inet filter "$INET_IN" term 1 then policer "$POLICER_IN"
set firewall family inet filter "$INET_IN" term 1 then service-accounting
set firewall family inet filter "$INET_IN" term 1 then accept
set firewall family inet filter "$INET_OUT" interface-specific
set firewall family inet filter "$INET_OUT" term 1 then policer "$POLICER_OUT"
set firewall family inet filter "$INET_OUT" term 1 then service-accounting
set firewall family inet filter "$INET_OUT" term 1 then accept
set firewall policer "$POLICER_IN" filter-specific
set firewall policer "$POLICER_IN" if-exceeding bandwidth-limit "$SPEED_IN"
set firewall policer "$POLICER_IN" if-exceeding burst-size-limit 512k
set firewall policer "$POLICER_IN" then discard
set firewall policer "$POLICER_OUT" filter-specific
set firewall policer "$POLICER_OUT" if-exceeding bandwidth-limit "$SPEED_OUT"
set firewall policer "$POLICER_OUT" if-exceeding burst-size-limit 512k
set firewall policer "$POLICER_OUT" then discard
I will give an example of a guest dynamic profile (which will expect the name of the incoming filter from Radius, for example svc-filter-in-nomoney, and I have already manually specified the outgoing filter 1Mbps):
edit dynamic-profiles svc-guest-ipoe
set variables FILTER-IN mandatory
set interfaces demux0 unit "$junos-interface-unit" family inet filter input "$FILTER-IN"
set interfaces demux0 unit "$junos-interface-unit" family inet filter input precedence 100
set interfaces demux0 unit "$junos-interface-unit" family inet filter output 1Mbps
set interfaces demux0 unit "$junos-interface-unit" family inet filter output precedence 100
Then I added all the IP Pools that are entered in ABillS and will be used on this Juniper, for example (DNS can be omitted, but transmitted via Radius as I described above):
edit access address-assignment pool Guests
set family inet network 10.10.0.0/20 range R1 low 10.10.0.2 high 10.10.15.253
set family inet network 10.10.0.0/20 dhcp-attributes maximum-lease-time 600 server-identifier 10.10.0.1 router 10.10.0.1
set family inet network 10.10.0.0/20 dhcp-attributes name-server 192.168.5.5
set family inet network 10.10.0.0/20 dhcp-attributes name-server 1.1.1.1
edit access address-assignment pool 17217
set family inet network 172.17.0.0/21 range R1 low 172.17.1.2 high 172.17.7.253
set family inet network 172.17.0.0/21 dhcp-attributes maximum-lease-time 600 server-identifier 172.17.0.3 router 172.17.0.3
I indicated the gateways of these IP pools on the local interface lo0, but always with a /32 subnet mask, for example:
set interfaces lo0 unit 0 family inet address 172.17.0.3/32
set interfaces lo0 unit 0 family inet address 10.10.0.3/32
For the Radius setting, see my article:
How to configure Radius on Juniper
Globally specify the created Radius profile:
set access-profile CLIENTS
If no radius servers are available, then Juiper will keep sessions active by default.
For diagnostics on a Linux server with Radius, you can use tcpdump to intercept Radius requests from Juniper:
tcpdump host ixnfo.com
tcpdump -i eno5 port 1812 or port 1813 or port 3799
radiusd -X > rad_debug.txt
CTRL+C
Let’s check the configuration on Juniper and apply:
commit check
commit
Session discrepancy check script:
/usr/abills/libexec/billd mx80_checklines SHOW
/usr/abills/libexec/billd mx80_checklines HANGUP
Examples of viewing various information and statistics:
show subscribers
show subscribers extensive
show subscribers subscriber-state ?
show interfaces demux0.xxxxxxx
show arp
show arp state
show bridge mac-table
show log messages | last 30
show interfaces mac-database
show system services dhcp binding
show system services dhcp binding ?
show system services dhcp conflict
show dynamic-profile session client-id
show subscribers interface demux0.3221225509 extensive
Manual termination of the client session:
clear dhcp server binding 10.10.0.5
Restarting the DHCP service:
restart dhcp-service
restart dhcp-service ?
An example of creating a user for connecting via SSH from the ABillS server, let’s create certificates (files id_rsa.abills_admin and id_rsa.abills_admin.pub will appear in the /usr/abills/Certs/ directory):
/usr/abills/misc/certs_create.sh ssh abills_admin
Let’s perform the settings on Juniper:
set system login class support idle-timeout 10
set system login class support permissions interface
set system login class support permissions routing
set system login class support permissions view
set system login class support allow-commands "monitor|ping|traceroute|show|clear dhcp server binding"
set system login class support deny-commands "clear|file|op|request|set|start"
set system login user abills_admin class support authentication load-key-file /var/home/id_rsa.abills_admin.pub
set system root-authentication plain-text-password
start shell user root
scp -P 22 abills@ixnfo.com:/usr/abills/Certs/id_rsa.abills_admin.pub /var/home/id_rsa.abills_admin.pub
cd /var/home/abills_admin/
ls
Instead of copying a file, you can specify its contents directly in the configuration:
set ssh-rsa "ssh-rsa XXXXXXXXXXXXXXXX ABillS remote machine manage key (Thu Jul 7 14:17:04 EEST 2022)"
show log user abills_admin
See also my articles:
Connecting via SSH key to Juniper
How to view user session speed
Mass shaping of speed in case of accidents
If there are several devices, then user routes can be transmitted via iBGP, for example, see my article:
Configuring iBGP on Juniper MX
See also my other articles about Juniper