Juniper Radius configuration with variables

This article is the second part of the Juniper MX Radius configuration tutorial – https://splynx.com/4873/radius-juniper-mx-configuration/

In the first article, speed limitations were set by two Juniper Radius attributes

ERX-Ingress-Policy-Name = “{{ tariff_name }}”
ERX-Egress-Policy-Name = “{{ tariff_name }}”

These attributes matched the Juniper firewall filter/policy to tariff name in Splynx.

We can set up an advanced option when tariff names and firewall filters matching is not involved. The setup is quite advanced, but also elegant, variables are used to define policies and speed.

RADIUS
Let’s start again with basic Radius configuration :


profile RAD {
authentication-order radius;
domain-name-server {
8.8.4.4;
8.8.8.8;
}
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
options {
nas-identifier JUN;
accounting-session-id-format decimal;
}
}
radius-server {
192.168.1.5 {
secret "$9$bLYJUjHqPTz7-UiHqQzRhcSvW"; ## SECRET-DATA
source-address 192.168.1.6;
}
}
accounting {
order radius;
immediate-update;
coa-immediate-update;
address-change-immediate-update;
update-interval 10;
statistics volume-time;
}
}

 

Important is to apply the access profile in global configuration :
access-profile RAD

DYNAMIC PROFILE
Second part is defining dynamic profiles using variables.

svc-local-pppoe {
variables {
var-bw-download;
var-bw-upload;
var-ff-out-download {
equals "'INET-' ## $var-bw-download ## '-CLIENT-DOWNLOAD'";
uid;
}
var-ff-in-upload {
equals "'INET-' ## $var-bw-upload ## '-CLIENT-UPLOAD'";
uid;
}
var-plr-download {
equals "'plr-' ## $var-bw-download";
uid;
}
var-plr-upload {
equals "'plr-' ## $var-bw-upload";
uid;
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
family inet {
filter {
input "$var-ff-out-download" precedence 100;
output "$var-ff-in-upload" precedence 100;
}
}
family inet6 {
filter {
input "$var-ff-out-download" precedence 100;
output "$var-ff-in-upload" precedence 100;
}
}
}
}
}

As you can see we can define policies for IPv4 and IPv6 customers.
Juniper Radius attribute that Splynx should send to Juniper MX router is

RADIUS ATTRIBUTE :

ERX-Service-Activate:1 = “svc-local-pppoe(3072000,2048000)”
where 3072000 is download speed and 2048000 is upload speed.
It means that Juniper will set var-bw-download = 3072000 and var-bw-upload = 2048000. Then it will var-ff-out-download and var-ff-in-upload variables and set it to input and output filter names on the pp0 interface.

SETTING FIREWALL
The last step is to define Filter rules


firewall {
family inet {
filter "$var-ff-in-upload" {
interface-specific;
term POLICE {
then {
policer "$var-plr-upload";
service-accounting;
service-filter-hit;
accept;
}
}
term SERVICE-FILTER-HIT {
from {
service-filter-hit;
}
then accept;
}
}
filter "$var-ff-out-download" {
interface-specific;
term POLICE {
then {
policer "$var-plr-download";
service-accounting;
service-filter-hit;
accept;
}
}
term SERVICE-FILTER-HIT {
from {
service-filter-hit;
}
then accept;
}
}
}
policer "$var-plr-download" {
logical-interface-policer;
if-exceeding {
bandwidth-limit "$var-bw-download";
burst-size-limit 1m;
}
then discard;
}
policer "$var-plr-upload" {
logical-interface-policer;
if-exceeding {
bandwidth-limit "$var-bw-upload";
burst-size-limit 1m;
}
then discard;
}
}
}

$var-plr-download and $var-plr-upload were created using values from Juniper Radius attribute ERX-Service-Activate:1. We create dynamic policers using these values and then apply them in dynamic filters.
If you have any questions regarding Juniper Radius configuration, please feel free to ask as at support@splynx.com