Home/ Blog/ Network management/ How to configure Juniper Radius server (updated)

How to configure Juniper Radius server (updated)

Thursday, March 10, 2022, 12:03

This is an updated version of the Radius server configuration with Juniper using variables for speed limitations.

1. Number one settings and a few general comments

The first and most crucial step before any configuration is made, use the command

set system dynamic-profile-options versioning

New profiles will not be used if this is not set because JunOS will say those old settings are still active. General comments to the configuration are:

Don’t use the same name for the definition of different profiles – we should have one for access(Radius), one is for the PPPoE template, one is for speed limits and one for applying an interface, and one more if QinQ is used. This will help split the configuration into parts and have order in it.
Don’t use the same Download and Upload speeds sometimes. Juniper ignores speed limits for no reason. (So, for example, if you have a 10M/10M plan, set 10M download and 9.99M upload).

2. Radius server definition in access profile RAD

set access profile RAD authentication-order radius set access profile RAD domain-name-server 8.8.4.4 set access profile RAD domain-name-server 8.8.8.8 set access profile RAD radius authentication-server 172.16.0.35 set access profile RAD radius accounting-server 172.16.0.35 set access profile RAD radius options nas-identifier JUN set access profile RAD radius options accounting-session-id-format decimal set access profile RAD radius-server 172.16.0.35 secret set access profile RAD radius-server 172.16.0.35 timeout 5 set access profile RAD accounting order radius set access profile RAD accounting immediate-update set access profile RAD accounting coa-immediate-update set access profile RAD accounting update-interval 10 set access profile RAD accounting statistics volume-time

3. Dynamic PPPOE for setting up the PPPoE virtual interface template

set dynamic-profiles PPPoE routing-instances "$junos-routing-instance" interface "$junos-interface-name" set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" no-traps set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" ppp-options chap set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" pppoe-options underlying-interface "$junos-underlying-interface" set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" pppoe-options server set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" keepalives interval 30 set dynamic-profiles PPPoE interfaces pp0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"

4. Speed limitation profile differs from PPPOE and is called svc-inet-profile. Don’t confuse the names.

set dynamic-profiles svc-inet-profile variables var-bw-upload set dynamic-profiles svc-inet-profile variables var-bw-download set dynamic-profiles svc-inet-profile variables var-ff-in-upload equals "'INET-' ## $var-bw-upload ## '-CLIENT-UPLOAD'" set dynamic-profiles svc-inet-profile variables var-ff-in-upload uid set dynamic-profiles svc-inet-profile variables var-ff-out-download equals "'INET-' ## $var-bw-download ## '-CLIENT-DOWNLOAD'" set dynamic-profiles svc-inet-profile variables var-ff-out-download uid set dynamic-profiles svc-inet-profile variables var-plr-upload equals "'plr-' ## $var-bw-upload" set dynamic-profiles svc-inet-profile variables var-plr-upload uid set dynamic-profiles svc-inet-profile variables var-plr-download equals "'plr-' ## $var-bw-download" set dynamic-profiles svc-inet-profile variables var-plr-download uid set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter input "$var-ff-out-download" set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter input precedence 100 set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter output "$var-ff-in-upload" set dynamic-profiles svc-inet-profile interfaces pp0 unit "$junos-interface-unit" family inet filter output precedence 100 set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" interface-specific set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then policer "$var-plr-upload" set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then service-accounting set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then service-filter-hit set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term policer then accept set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term service from service-filter-hit set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-in-upload" term service then accept set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" interface-specific set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then policer "$var-plr-download" set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then service-accounting set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then service-filter-hit set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term policer then accept set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term service from service-filter-hit set dynamic-profiles svc-inet-profile firewall family inet filter "$var-ff-out-download" term service then accept set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" logical-interface-policer set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" if-exceeding bandwidth-limit "$var-bw-download" set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" if-exceeding burst-size-limit 1m set dynamic-profiles svc-inet-profile firewall policer "$var-plr-download" then discard set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" logical-interface-policer set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" if-exceeding bandwidth-limit "$var-bw-upload" set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" if-exceeding burst-size-limit 1m set dynamic-profiles svc-inet-profile firewall policer "$var-plr-upload" then discard

5. VLAN profile that is used to set up PPPoE server on the VLAN interface

set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" vlan-id "$junos-vlan-id" set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface" set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0 set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator JUN set dynamic-profiles VLAN interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PPPoE

6. Apply PPPOE to the VLAN physically


ae0 {
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile VLAN {
accept pppoe;
ranges {
any;
}
}
}
remove-when-no-subscribers;
}

7. Radius attribute should be this one with a selection of Speed Limitation profile

ERX-Service-Activate:1 = SERVICE({{ rx_rate_limit/1024/1000}}M,{{ tx_rate_limit/1024/1000}}M)

Please note that M was added to send the data from Splynx to Juniper in Megabits. Juniper accepts the speeds such as 1M, 2M, 20M, and similar, so please be sure that the variable in the attribute will return your desired number.