Junos OS

I have dhcp-local-server configured on a virtual-router on MX480 router. I am trying to disconnect dhcp subscribers using radius server CoA but i got Disconnect-NAK message. 

everything is working fine when the users are using the global dhcp-local-server (not in virutal-router)

no firewall, mx can reach radius through virutal-router

what could be the problem?

Good day!

For correct work of RADIUS-CoA on a platform MX (if you use virtual-router for isolation of subscribers and access to the RADIUS-server) it is necessary for you to change the option "domain" in the section "access". 

For example:

domain {
        map default {
            aaa-routing-instance VRF-RADIUS;
            access-profile RADIUS-profile;
        }
    }

VRF-RADIUS - virtual-router for access to the MX RADIUS-server.

RADIUS-profile - a working profile for interaction of MX and the RADIUS-server.

Otherwise the inquiry of CoA in virtual-router for subscribers tries to process MX.

here is my configuration

routing-instances { 
    TEST {
        instance-type virtual-router;
        system {
            services {
                dhcp-local-server {
                    group TEST-GROUP {
                        authentication {
                            password passwd;
                            username-include {
                                option-82 remote-id;
                            }
                        }
                        dynamic-profile DHCP_DYNAMIC_PROFILE;
                        interface ge-0/0/2.515;
                        interface ge-0/1/0.515;
                    }
                }
            }
        }
        access {
            address-assignment {
                pool 1 {
                    family inet {
                        network x.x.x.0/24;
                        range RANGE {
                            low x.x.x.10;
                            high x.x.x.255;
                        }
                        dhcp-attributes {
                            maximum-lease-time 60;
                            name-server {
                                x.x.x.x;
                            }
                            router {
                                x.x.x.1;
                            }
                        }
                    }
                }
            }
        }
        access-profile TEST_ACCESS_PROFILE;
        interface ge-0/0/2.515;
        interface ge-0/1/0.515;
        interface lo0.515;

access {
    radius-server {
        x.x.x.x {
            secret "testing123"; ## SECRET-DATA
            source-address x.x.x.x;

    profile TEST_ACCESS_PROFILE {
        authentication-order radius;
        radius {
            authentication-server x.x.x.x;
            accounting-server x.x.x.x;
        accounting {
            order radius;
            immediate-update;
            coa-immediate-update;
            update-interval 120;
            statistics volume-time;
            duplication;
        }
    }

 I don't use domain name for my users. I only want to disconnect users connected to the routing-instance TEST using radius-server.

It's only worked when I put the interface connected to radius-server in the routing-instance. 

Hi manaf.

For you works in case the subscribers and the RADIUS-server are in one environment of routing-instances. In your case in routing-instances TEST. No, no. "Domain name" isn't equal in the section "access" to a DNS suffix. 

In the "Junos OS 11.4 Subscriber Access Configuration Guide" it is told:

By default a domain map uses the subscriber logical system/routing instance as the context in which the authd daemon sends AAA authentication and accounting requests.

Try the following:

1) To change behavior of map default-domain in the section "access".

domain {
    map default {
        access-profile TEST_ACCESS_PROFILE;
    }
}

2) If it doesn't help, to try to execute the following:

Transfer RADIUS interaction to separate routing-instance. On routing-instance "RADIUS" example. In order that access from MX to the RADIUS server it was carried out through separate VRF. And then apply the following control:

domain {
    map default {
        aaa-routing-instance RADIUS;
        access-profile TEST_ACCESS_PROFILE;
    }
}

thanks a lot Aleksandr,

it works after puting the radius-server interface in a seperate virtual-router 🙂 and domain map with access-profile as in solution #2

Very good. 

i have another problem now.

since all my users are using default domain, i can't use different access-profile for specific routing-instance. for example:

i want to routing-instance TEST to use access-profile TEST_ACCESS_PROFILE and routing-instance TEST2 to use access-profile TEST2_ACCESS_PROFILE.

any suggestion?

Hmm ............ Then "default domain map" won't approach (domain map default). You need to adjust more domain map for division on different routing-instance's. You need to think up any to divide domains. Try to take as a basis pool-name (address-pool pool-name) or subscribers domain name. 

https://www.juniper.net/techpubs/en_US/junos12.2/topics/concept/subscriber-management-domain-maps.html

For what you use the instruction "access-profile" in routing-instances TEST ? For different groups of subscribers you use the different RADIUS profiles?

If there will be an identical profile of work with the RADIUS-server, subscribers can be divided on different routing-instances through VSA RADIUS-attribute Virtual-Router (in case of successful authentification of the subscriber).

finally I made a work around to solve it using the domain map 🙂

I have added domain-name in dhcp-local-server in routing-instance TEST

routing-instances TEST 
instance-type virtual-router;
system {
    services {
        dhcp-local-server {
            group TEST-GROUP {
                authentication {
                    password passwd;
                    username-include {
                        domain-name TEST;
                        option-82 remote-id;
                    }

 Then I have created a domain map TEST to call the requsted access-profile TEST_ACCESS_PROFILE, and strip the domain since my radius doesn't understand the domain:

domain {
    map TEST {
        aaa-routing-instance RADIUS;
        access-profile TEST_ACCESS_PROFILE;
        strip-domain;
    }
}

the COA disconnect is working now on both radius profiles 🙂

thank you Aleksandr for your hint about domain map

My config like Manaf. I use domain map and strip. Then

demux0.1073757705 10.10.10.10  000a.e4ed.def7 default:RADIUS-VR

After I send CoA to disconnect 

Sending Disconnect-Request of id 85 to 10.1.0.10 port 3799
Acct-Session-Id = "5475516"

radclient: no response from server for ID 85 socket 3

Total approved auths: 0
Total denied auths: 0
Total lost auths: 1

Can you show CoA Disconnect-Request for user in virtual-router

Many Thanks

Hi,

I used routing-instance for radius server and put interface connected to radius server in this routing instance:

routing-instances {
    RADIUS {
        instance-type virtual-router;
        interface ge-0/0/8.20;          
        interface ge-0/0/8.52;
        interface ge-0/0/8.92;
    }

 and then map this routing instance in domain-map

access {
 domain {
    map default {
        aaa-routing-instance RADIUS;
        access-profile RADIUS_ACCESS_PROFILE;
    }
}

Many Thank's for replay.

domain {
map icamp {
aaa-routing-instance DOMAIN-VR;
target-routing-instance DOMAIN-VR;
strip-domain;
}
map default {
access-profile mx-aaa;
}
}

when i add radius interface into VR I receive:

Sending Disconnect-Request of id 232 to 10.1.0.10 port 3799
Acct-Session-Id = "6052794"
radclient: no response from server for ID 232 socket 3

Total approved auths: 0
Total denied auths: 0
Total lost auths: 1

============ CoA/Disconnect Callback =================

Nov 5 12:53:01 dyn_req_disconnect_cb attributes remote_addr:(10.1.0.1) remote_port:(33784), rtbl_idx:(0)
Nov 5 12:53:01 received in AVP disconnect req type:44 val:6052794 len:7
Nov 5 12:53:01 authd_verify_request_context: failing verification: context: user: [default:DOMAIN-VR]; lookup index: <4>; request index: <0>
Nov 5 12:53:01 nak_error_cause 0 ret_val -1

Nov 5 12:53:01 authd_auth_aaa_msg_destroy
Nov 5 12:53:01 authd_auth_get_conn: Bad connection ID .
Nov 5 12:53:01 authd_auth_aaa_msg_destructauth_aaa_msg: 0x22b62e0

If I remove radius interface from VR I receive

Sending Disconnect-Request of id 156 to 10.1.0.10 port 3799
Acct-Session-Id = "6052794"
rad_recv: Disconnect-NAK packet from host 10.1.0.10 port 3799, id=156, length=20

Total approved auths: 0
Total denied auths: 1
Total lost auths: 0

session create under VR like this

admin@MX80# run show dhcp server binding routing-instance DOMAIN-VR

IP address Session Id Hardware address Expires State Interface
176.114.32.223 6026526 00:0a:e4:ed:de:f7 87 BOUND ae1.62
176.114.32.154 6049647 00:e0:4d:40:81:2b 88 BOUND ae1.62
176.114.32.168 6052794 84:2b:2b:96:c6:62 79 BOUND ae1.62
176.114.32.23 6038289 f8:d1:11:02:26:bb 60 BOUND ae1.62

JUNOS Base OS boot [11.2R7.4]

what version you are use?