Home/ Blog/ Network management/ Juniper Radius configuration with variables

Juniper Radius configuration with variables

Monday, April 4, 2022, 11:04

This article is the second part of the Juniper MX Radius configuration tutorial.

In the first article, speed limitations were set by two Juniper Radius attributes:

ERX-Ingress-Policy-Name = “{{ tariff_name }}” ERX-Egress-Policy-Name = “{{ tariff_name }}”

These attributes matched the Juniper firewall filter/policy to the tariff name in Splynx.

We can set up an advanced option when tariff names and firewall filters matching is not involved. The setup is quite advanced, but also elegant, variables are used to define policies and speed.

RADIUS

Let’s start again with the basic Radius configuration:

profile RAD { authentication-order radius; domain-name-server { 8.8.4.4; 8.8.8.8; } radius { authentication-server 192.168.1.5; accounting-server 192.168.1.5; options { nas-identifier JUN; accounting-session-id-format decimal; } } radius-server { 192.168.1.5 { secret "$9$bLYJUjHqPTz7-UiHqQzRhcSvW"; ## SECRET-DATA source-address 192.168.1.6; } } accounting { order radius; immediate-update; coa-immediate-update; address-change-immediate-update; update-interval 10; statistics volume-time; } }

Important is to apply the access profile in global configuration :
access-profile RAD

DYNAMIC profile

The second part is defining dynamic profiles using variables.

svc-local-pppoe { variables { var-bw-download; var-bw-upload; var-ff-out-download { equals "'INET-' ## $var-bw-download ## '-CLIENT-DOWNLOAD'"; uid; } var-ff-in-upload { equals "'INET-' ## $var-bw-upload ## '-CLIENT-UPLOAD'"; uid; } var-plr-download { equals "'plr-' ## $var-bw-download"; uid; } var-plr-upload { equals "'plr-' ## $var-bw-upload"; uid; } } interfaces { pp0 { unit "$junos-interface-unit" { family inet { filter { input "$var-ff-out-download" precedence 100; output "$var-ff-in-upload" precedence 100; } } family inet6 { filter { input "$var-ff-out-download" precedence 100; output "$var-ff-in-upload" precedence 100; } } } } }

As you can see we can define policies for IPv4 and IPv6 customers.
Juniper Radius attribute that Splynx should send to Juniper MX router is

RADIUS attribute

ERX-Service-Activate:1 = “svc-local-PPPoE(3072000,2048000)”
where 3072000 is download speed and 2048000 is upload speed.
It means that Juniper will set var-bw-download = 3072000 and var-bw-upload = 2048000. Then it will var-ff-out-download and var-ff-in-upload variables and set it to input and output filter names on the pp0 interface.

SETTING firewall

The last step is to define Filter rules:

firewall { family inet { filter "$var-ff-in-upload" { interface-specific; term POLICE { then { policer "$var-plr-upload"; service-accounting; service-filter-hit; accept; } } term SERVICE-FILTER-HIT { from { service-filter-hit; } then accept; } } filter "$var-ff-out-download" { interface-specific; term POLICE { then { policer "$var-plr-download"; service-accounting; service-filter-hit; accept; } } term SERVICE-FILTER-HIT { from { service-filter-hit; } then accept; } } } policer "$var-plr-download" { logical-interface-policer; if-exceeding { bandwidth-limit "$var-bw-download"; burst-size-limit 1m; } then discard; } policer "$var-plr-upload" { logical-interface-policer; if-exceeding { bandwidth-limit "$var-bw-upload"; burst-size-limit 1m; } then discard; } } }

$var-plr-download and $var-plr-upload were created using values from Juniper Radius attribute ERX-Service-Activate:1. We create dynamic policers using these values and then apply them in dynamic filters.