Junos OS

Can some one help? PPPOE client is windows XP inbuilt-client.

My configuration is

juniper@SLIC-MEDG-003# show dynamic-profiles                       
PPPOE {
    interfaces {
        pp0 {
            unit "$junos-interface-unit" {
                ppp-options {
                    pap;
                }
                pppoe-options {
                    underlying-interface "$junos-underlying-interface";
                    server;
                }
                keepalives interval 30;
                family inet {
                    filter {
                        input "$junos-input-filter";
                        output "$junos-output-filter";
                    }
                    unnumbered-address lo0.0;
                }
            }
        }
    }
}

juniper@SLIC-MEDG-003# show access | except SECRET-DATA      
radius-server {
    10.11.9.38 {
        port 1812;
        accounting-port 1813;
        source-address 10.12.0.10;
    }
}
group-profile DNS {
    ppp {
        primary-dns 8.8.8.8;
    }
}
profile RADIUS {
    accounting-order radius;
    authentication-order radius;
    radius {
        authentication-server 10.11.9.38;
        accounting-server 10.11.9.38;
        options {
            nas-identifier 56;
            client-authentication-algorithm round-robin;
            client-accounting-algorithm round-robin;
            juniper-dsl-attributes;
        }
    }
    accounting {
        order radius;                   
        accounting-stop-on-failure;
        accounting-stop-on-access-deny;
        immediate-update;
        update-interval 10;
        statistics volume-time;
    }
}
address-assignment {
    pool PPPOE-1 {
        family inet {
            network 10.12.0.0/24;
            range 1 {
                low 10.12.0.15;
                high 10.12.0.200;
            }
            dhcp-attributes {
                maximum-lease-time infinite;
                name-server {
                    8.8.8.8;
                }
                router {
                    10.12.0.10;
                }
            }
            xauth-attributes {
                primary-dns 8.8.8.8/32;
            }
        }
    }
    pool PPPOE-2 {
        family inet {
            network 10.1.0.0/24;
            range 1 {
                low 10.1.0.1;
                high 10.1.0.254;
            }
        }
    }
}

Interface configuration is

juniper@SLIC-MEDG-003# show interfaces ge-1/0/0.107
description "###BSR TEST###";
proxy-arp;
vlan-id 107;
family pppoe {
    access-concentrator SLIC-MEDG-003;
    dynamic-profile PPPOE;
    max-sessions 100;
}

Connectivity is

Windows XP PPPOE client ---> Swicth ----> MX480

PPPOE Statitistics

juniper@SLIC-MEDG-003# run show pppoe statistics
Active PPPoE sessions: 0
  PacketType                       Sent         Received
    PADI                              0              114
    PADO                            114                0
    PADR                              0              113
    PADS                            113                0
    PADT                             14              113
    Service name error                0                0
    AC system error                   0                0
    Generic error                     0                0
    Malformed packets                 0                0
    Unknown packets                   0                0

Could you run "monitor traffic interface ge-1/0/0.107 size 1500" and paste the output here ? Also contents of authd log would be useful.

Thank you for the reply.

I changed the configuration as this,

pppoe-profile {
    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
        }
    }
    interfaces {
        pp0 {
            unit "$junos-interface-unit" {
                ppp-options {
                    pap;
                }
                pppoe-options {
                    underlying-interface "$junos-underlying-interface";
                    server;
                }
                keepalives interval 3;
                family inet {
                    unnumbered-address "$junos-loopback-interface";
                }
            }
        }
    }
}

and

juniper@SLIC-MEDG-003# show access | except SECRET-DATA
radius-server {
    10.11.9.38 {
        port 1812;
        accounting-port 1813;
        source-address 10.12.0.10;
    }
}
group-profile DNS {
    ppp {
        primary-dns 119.235.0.4;
        secondary-dns 8.8.8.8;
    }
}
profile noradius-auth {
    authentication-order radius;
    radius {
        authentication-server 10.11.9.38;
        accounting-server 10.11.9.38;
    }
}
address-assignment {
    pool pool1 {
        family inet {
            network 119.235.12.0/29;
            xauth-attributes {
                primary-dns 119.235.0.4/32;
                secondary-dns 8.8.8.8/32;
            }
        }
    }
}

juniper@SLIC-MEDG-003# show interfaces ge-1/0/0.107
vlan-id 107;
family pppoe {
    dynamic-profile pppoe-profile;
}

now everything working fine in Routing Instance: default.

I created another routing instance and assign another loopback and ge-1/0/0.107 but I can't see internal routes in routing instace.

Can you please help?

I'm guessing that the problem when you were using your first setup was that either you weren't returning valid input and output policy names from Radius in Access-Accept or that those policies weren't configured with "interface-specific" keyword.

As for the second setup could you explain what do you mean by "internal routes" ? If you are reffering to access routes installed via Framed-Route Radius attribute you must include following configuration in your dynamic-profile :

Also if you are planning to use address pools with routing instances, those address pools should be configured under given routing instance context. I hope this helps.

One more thing: instead of configuring ge-1/0/0.107 under your routing instance, return Unisphere-Virtual-Router attribute. This attribute should be returned in format "Logical-System:Routing-Instance, for example "default:yourinstance1". Remember that default is the only supported option in Junos for Logical-System when using PPPoE dynamic interfaces.

http://www.juniper.net/techpubs/software/junos/junos123/radius-dictionary/unisphereDictionary_for_JUNOS_v12-3.dct

Realy appriciate your inputs KamilD. Thanks.

Let me explain further.

I have created this routing instance

{master}[edit routing-instances PPPoe-Internet]
juniper@SLIC-MEDG-003# show
instance-type vrf;
interface ge-1/0/0.107;
interface xe-4/1/1.14;
interface lo0.14;
route-distinguisher 65001:1120014003;
vrf-target target:65001:1120014003;
vrf-table-label;
protocols {
    bgp {
        group IGW-SLIC {
            type external;
            peer-as 45678;
            neighbor 10.12.2.250;
        }
    }
}

Now ge-1/0/0.107  and interface lo0.14 are in the routing-instances PPPoe-Internet.

Routing table routing-instances PPPoe-Internet

PPPoe-Internet.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 00:26:30, localpref 100
                      AS path: 45678 18936 I, validation-state: unverified
                    > to 10.12.2.250 via xe-4/1/1.14
10.12.0.100/32     *[Direct/0] 00:14:38
                    > via lo0.14
10.12.2.248/29     *[Direct/0] 00:28:10
                    > via xe-4/1/1.14
10.12.2.249/32     *[Local/0] 00:28:10
                      Local via xe-4/1/1.14

I want my subcribers interfaces appear in routing-instances PPPoe-Internet.

But subscriber interfaces still can be seen in inet.0

juniper@SLIC-MEDG-003# run show route | match 119.235.12.6

inet.0: 70 destinations, 71 routes (70 active, 0 holddown, 0 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both
119.235.12.6/32    *[Access-internal/12] 00:01:17
                    > via pp0.1073742047

How can I assign dynamic-profile; i.e pp0.xxxxx to sepcific routing instance? Which knob should I enable?

Thanks again.

Could you enable authd.log like shown below?

system {

    processes {
        general-authentication-service {
            traceoptions {
                file authd.log  size 1m files 5;
                flag radius;
            }
        }
    }
}

then run "monitor start authd.log" and paste output from session establishment.

My guess at the moment is that upon successful subscirber authentication your Radius authentication server is not returning "Unisphere-Virtual-Router" attribute in Access-Accept which would show where would you like this session to be established. (in which routing instance).By default (if this attribute is not provided) session is stablished in default routing instance.In your case the value of this attribute should be set to : "default:PPPoe-Internet".

Inserting an interface with a dynamic-profile in a VRF is is not going to help you establish a session there. It is still going to be established in "default:default".

Also configure an address assignment pool under your VRF.

Hi KamilD

This is the log output.

juniper@SLIC-MEDG-003# run monitor start authd.log

{master}[edit]
juniper@SLIC-MEDG-003#                    
*** authd.log ***
Apr 11 09:56:21.324244 authd_radius_start_auth: Starting RADIUS authentication
Apr 11 09:56:21.324390 authd_radius_build_basic_auth_request: got params  profile=noradius-auth, username=gallezone
Apr 11 09:56:21.324403 radius-access-request: User-Name added: xxxxxx
Apr 11 09:56:21.324412 radius-access-request: User-Password added: ""
Apr 11 09:56:21.324439 radius-access-request: Service-Type added: 2
Apr 11 09:56:21.324455 radius-access-request: Framed-Protocol added: 1
Apr 11 09:56:21.324471 radius-access-request: Chargeable-User-Identity added:
Apr 11 09:56:21.324486 radius-access-request: Acct-Session-Id added: 253
Apr 11 09:56:21.325235 radius-access-request: DHCP-MAC-Address (Juniper-ERX-VSA) added: 001a.a00a.77d5
Apr 11 09:56:21.325262 radius-access-request: NAS-Identifier added: SLIC-MEDG-003
Apr 11 09:56:21.325277 radius-access-request: NAS-Port added: 10 00 00 6b
Apr 11 09:56:21.325289 radius-access-request: NAS-Port-Id added: ge-1/0/0.107:107
Apr 11 09:56:21.325302 radius-access-request: NAS-Port-Type added: 15
Apr 11 09:56:21.427388 authd_radius_get_config:Using radius option config from access stanza
Apr 11 09:56:21.427416 Radius result is CLIENT_REQ_STATUS_SUCCESS

Our radius server is only doing authentication+giving package for the subscriber

Smartm,

Could you reconfigure your Radius server so that it would send "Unisphere-Virtual-Router" attribute set to "default:PPPoe-Internet" in Access-Accept. You should then see a following message in your authd.log:

radius-access-accept: Virtual-Router (Juniper-ERX-VSA) received: default:PPPoe-Internet

If this is not an option, this looks promising (but I haven't ever configured it):

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/pppoe-service-name-table-dynamic-profile.html

Many thanks for extended help.

Our radius server is Radiator, can I use same VSAs in there?

I am not familiar with Radiator software so I can't help you with this. But I am pretty sure this can be done with almost any Radus server software.

Many thanks KamilD.

We tested this with SBR. assigning ERX-Virtual-Router-Name:default:PPPoe-INTERNET

juniper@SLIC-MEDG-003# run show subscribers extensive
Type: PPPoE
User Name: test
IP Address: 119.235.xx.x
IP Netmask: 255.255.255.252
Primary DNS Address: 119.235.0.4
Secondary DNS Address: 8.8.8.8
Logical System: default
Routing Instance: PPPoe-Internet
Interface: pp0.1073742115
Interface type: Dynamic
Underlying Interface: ge-1/0/0.107
Dynamic Profile Name: pppoe-profile
MAC Address: 00:1a:a0:0a:77:d5
State: Active
Radius Accounting ID: 311
Session ID: 311
VLAN Id: 107
Login Time: 2014-04-11 15:18:06 IST
IP Address Pool: pool-2

Good to hear. Good luck with your tests.

Hi KamilD,

thousend appologies for reviving this old post.

I was facing pppoe issue yesterday and what you said on below message helped me. my filter was not setup with interface-specific and hence the MX wasnt able to finish the pp0.xxx interface creation and was killing the sessions, adding inteface-specific solved it. 

now i wanted to ask two things:

1) why must the filter be interface-specific? i normaly use non-interface-specific filter on on normal interfaces like ge-1/1/1.111 and it works.

1) incase i need to do traceoptions at MX level, where will my traceoptions be ? under PPPOE/ppp/ppp-service?? ... will this traceoptions throw accurate error of filter not interface specific? will the log be that specific ??

Hi,

Please open new thread for the new queries. This will help others following the forum.

Please let us know the version on MX.  If above 15.1, you can enable smg-service traceoptions.

show shmlog entries logname all   <<< Should also show the issue.

Regards,

Rahul

Hi Rahul,

OK. will open new thread. 

MX version is 15.1 currently.