For example, I will configure the Radius on the Juniper MX204.
Check installed licenses:
show system license usage
I have displayed:
Licenses Licenses Licenses Expiry Feature name used installed needed subscriber-accounting 1 1 0 permanent subscriber-authentication 0 1 0 permanent subscriber-address-assignment 1 1 0 permanent subscriber-vlan 0 1 0 permanent subscriber-ip 0 1 0 permanent service-dc 0 1 0 permanent service-accounting 0 1 0 permanent service-qos 0 1 0 permanent service-ancp 0 1 0 permanent service-cbsp 0 1 0 permanent scale-subscriber 0 64000 0 permanent scale-l2tp 0 1000 0 permanent
Examples of viewing the current Radius settings:
configure run show configuration access run show configuration access profile CLIENTS edit access show
Let’s go to the access hierarchy:
Let’s create a profile, for example, with the name CLIENTS (commented commands can be used if needed):
set profile CLIENTS authentication-order radius set profile CLIENTS accounting-order radius set profile CLIENTS radius authentication-server 192.168.5.2 set profile CLIENTS radius accounting-server 192.168.5.2 set profile CLIENTS radius options nas-identifier juniper-dhcp #set profile CLIENTS radius options calling-station-id-format mac-address #set profile CLIENTS radius options revert-interval 3 #set profile CLIENTS radius options client-authentication-algorithm round-robin #set profile CLIENTS radius options client-accounting-algorithm round-robin set profile CLIENTS radius-server 192.168.5.2 secret ixnfo.com set profile CLIENTS radius-server 192.168.5.2 port 1812 set profile CLIENTS radius-server 192.168.5.2 accounting-port 1813 set profile CLIENTS radius-server 192.168.5.2 timeout 20 set profile CLIENTS radius-server 192.168.5.2 retry 5 set profile CLIENTS radius-server 192.168.5.2 source-address 192.168.5.8 #set profile CLIENTS radius-server 192.168.5.2 max-outstanding-requests 500 set profile CLIENTS accounting order radius set profile CLIENTS accounting immediate-update set profile CLIENTS accounting coa-immediate-update set profile CLIENTS accounting update-interval 10 set profile CLIENTS accounting statistics volume-time set profile CLIENTS service accounting-order radius #set radius-disconnect 192.168.5.2 exit #set system radius-server 188.8.131.52 secret ixnfo.com
I will describe some of the parameters that I indicated:
- revert-interval defines the amount of time juniper waits after the radius server becomes unavailable, after which juniper will re-verify the connection. The default is 60 seconds, possible values are from 0 to 604800.
- options nas-identifier allows you to specify an arbitrary name for the device, which will be passed in the Radius NAS-Identifier parameter, necessary for authenticating requests when using multiple Juniper devices.
- client-accounting-algorithm and client-authentication-algorithm define a method for accessing Radius servers, the default is “direct” – if the first Radius does not work, then a request is made to the second one. With “round-robin” the first request is made to the first Radius, the second request to the second Radius, which allows you to distribute the load on the Radius servers.
- timeout allows you to specify the time in seconds during which juniper will wait for a response to his request from the Radius server, the default is 3 seconds, the valid value is from 1 to 1000 seconds.
- retry allows you to specify the number of attempts to send a request to the Radius server, the default is 3, the valid value is from 1 to 100. If the Radius server does not respond after all attempts, then Juniper will start sending requests to another Radius server.
- source-address – the IP address that is present on Juniper and from which requests will be sent, also on the Radius server in the firewall, I allow connections from this IP address.
- max-outstanding-requests allows you to limit the number of running requests to the radius server in order to protect the slow radius server from heavy loads. You can not specify, the default is 1000, the possible range is from 0 to 2000.
- accounting immediate-update enables Acct-Update requests to the Radius server.
- accounting coa-immediate-update enables Acct-Update requests to the Radius server.
- accounting update-interval specifies the time in minutes that juniper waits before sending a new session statistics message, available values are from 10 to 1440.
- accounting statistics volume-time specifies to collect statistics only by time (time) or by volume and time (volume-time).
In global mode, specify the created profile:
set access-profile CLIENTS
Examples of viewing statistics:
show network-access aaa statistics address-assignment pool 17217 show network-access aaa statistics authentication detail show network-access aaa statistics radius show network-access aaa statistics radius detail show network-access aaa statistics dynamic-requests show network-access aaa radius-servers detail show network-access aaa subscribers username 5ca6.e63d.d141 show network-access aaa subscribers session-id 5 show route protocol access-internal show subscribers show subscribers vlan-id 220 show subscribers subscriber-state active show subscribers address 172.17.1.5 detail show subscribers interface demux0.3221225477 detail show interfaces demux0.3221225477 extensive test aaa dhcp ...
For diagnostics, you can write more detailed logs to a separate file (only on a test device, since many detailed logs are written for each client, which cannot be done if there are many clients on the device):
edit system processes general-authentication-service set traceoptions file IXNFO size 10m set traceoptions flag radius #set traceoptions flag all #set traceoptions filter user *ixnfo.com show exit
Check the configuration and apply:
commit check commit
See also my article:
Juniper MX204 setup