How to configure Radius on Juniper

For example, I will configure the Radius on the Juniper MX204.

Check installed licenses:

show system license usage

I have displayed:

                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  subscriber-accounting                 1            1           0    permanent
  subscriber-authentication             0            1           0    permanent
  subscriber-address-assignment         1            1           0    permanent
  subscriber-vlan                       0            1           0    permanent
  subscriber-ip                         0            1           0    permanent
  service-dc                            0            1           0    permanent
  service-accounting                    0            1           0    permanent
  service-qos                           0            1           0    permanent
  service-ancp                          0            1           0    permanent
  service-cbsp                          0            1           0    permanent
  scale-subscriber                      0        64000           0    permanent
  scale-l2tp                            0         1000           0    permanent

Examples of viewing the current Radius settings:

configure
run show configuration access
run show configuration access profile CLIENTS
edit access
show

Let’s go to the access hierarchy:

edit access

Let’s create a profile, for example, with the name CLIENTS (commented commands can be used if needed):

set profile CLIENTS authentication-order radius
set profile CLIENTS accounting-order radius
set profile CLIENTS radius authentication-server 192.168.5.2
set profile CLIENTS radius accounting-server 192.168.5.2
set profile CLIENTS radius options nas-identifier juniper-dhcp
#set profile CLIENTS radius options calling-station-id-format mac-address
#set profile CLIENTS radius options revert-interval 3
#set profile CLIENTS radius options client-authentication-algorithm round-robin
#set profile CLIENTS radius options client-accounting-algorithm round-robin

set profile CLIENTS radius-server 192.168.5.2 secret ixnfo.com
set profile CLIENTS radius-server 192.168.5.2 port 1812
set profile CLIENTS radius-server 192.168.5.2 accounting-port 1813
set profile CLIENTS radius-server 192.168.5.2 timeout 20
set profile CLIENTS radius-server 192.168.5.2 retry 5
set profile CLIENTS radius-server 192.168.5.2 source-address 192.168.5.8
#set profile CLIENTS radius-server 192.168.5.2 max-outstanding-requests 500

set profile CLIENTS accounting order radius
set profile CLIENTS accounting immediate-update
set profile CLIENTS accounting coa-immediate-update
set profile CLIENTS accounting update-interval 10
set profile CLIENTS accounting statistics volume-time

set profile CLIENTS service accounting-order radius

#set radius-disconnect 192.168.5.2
exit

#set system radius-server 129.168.5.2 secret ixnfo.com

I will describe some of the parameters that I indicated:

  • revert-interval defines the amount of time juniper waits after the radius server becomes unavailable, after which juniper will re-verify the connection. The default is 60 seconds, possible values ​​are from 0 to 604800.
  • options nas-identifier allows you to specify an arbitrary name for the device, which will be passed in the Radius NAS-Identifier parameter, necessary for authenticating requests when using multiple Juniper devices.
  • client-accounting-algorithm and client-authentication-algorithm define a method for accessing Radius servers, the default is “direct” – if the first Radius does not work, then a request is made to the second one. With “round-robin” the first request is made to the first Radius, the second request to the second Radius, which allows you to distribute the load on the Radius servers.
  • timeout allows you to specify the time in seconds during which juniper will wait for a response to his request from the Radius server, the default is 3 seconds, the valid value is from 1 to 1000 seconds.
  • retry allows you to specify the number of attempts to send a request to the Radius server, the default is 3, the valid value is from 1 to 100. If the Radius server does not respond after all attempts, then Juniper will start sending requests to another Radius server.
  • source-address – the IP address that is present on Juniper and from which requests will be sent, also on the Radius server in the firewall, I allow connections from this IP address.
  • max-outstanding-requests allows you to limit the number of running requests to the radius server in order to protect the slow radius server from heavy loads. You can not specify, the default is 1000, the possible range is from 0 to 2000.
  • accounting immediate-update enables Acct-Update requests to the Radius server.
  • accounting coa-immediate-update enables Acct-Update requests to the Radius server.
  • accounting update-interval specifies the time in minutes that juniper waits before sending a new session statistics message, available values ​​are from 10 to 1440.
  • accounting statistics volume-time specifies to collect statistics only by time (time) or by volume and time (volume-time).

In global mode, specify the created profile:

set access-profile CLIENTS

Examples of viewing statistics:

show network-access aaa statistics address-assignment pool 17217
show network-access aaa statistics authentication detail
show network-access aaa statistics radius
show network-access aaa statistics radius detail
show network-access aaa statistics dynamic-requests
show network-access aaa radius-servers detail
show network-access aaa subscribers username 5ca6.e63d.d141
show network-access aaa subscribers session-id 5
show route protocol access-internal
show subscribers
show subscribers vlan-id 220
show subscribers subscriber-state active
show subscribers address 172.17.1.5 detail
show subscribers interface demux0.3221225477 detail
show interfaces demux0.3221225477 extensive
test aaa dhcp ...

For diagnostics, you can write more detailed logs to a separate file (only on a test device, since many detailed logs are written for each client, which cannot be done if there are many clients on the device):

edit system processes general-authentication-service
set traceoptions file IXNFO size 10m
set traceoptions flag all
#set traceoptions filter user *ixnfo.com
show
exit

Check the configuration and apply:

commit check
commit

See also my article:
Juniper MX204 setup

Leave a comment

Leave a Reply