Routing
Routing

Controlling PPP Users

‎10-31-2017 03:42 AM

Hi,

 

Having searched on google, I am struggling to find documentation to help with the configuration of what PPP users can and cannot do.

 

For example, do I control it from the LNS? Do I control it from the RADIUS (FreeRADIUS)...... Having looked at the VSA's for freeradius I do not think I can control routing, which LNS to use, Bandwidth etc etc from the freeradius box..... so, is there a document somewhere, from Juniper, that shows how to do this via the LNS please?

 

Thanks

7 REPLIES 7
Routing

Re: Controlling PPP Users

‎10-31-2017 04:25 AM

Hi,

 

I believe you're looking for the servcies that can be provided to PPP subscribers terminating on LNS.

 

You can refer following document.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-dynamic-firew...

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/aaa-subscriber-access-rad...

https://www.juniper.net/documentation/en_US/junos/topics/concept/aaa-radius-coa-overview.html

 

You need both radius and MX for controlling the subscribers. Example : Assigning special bandwdith quota to subscribers.

 

On MX

 

Configure FW filter under dynamic-profile. Here i am using variable as value will be assigned from radius.


            family inet {
                filter {
                    input $junos-input-filter;
                    output $junos-output-filter;
                }

DefineFW filter and policer under the FW Stanza.

 

firewall {
    family inet {
        filter 12M {
            interface-specific;
            term 1 {
                then {
                    policer 12M;
                    service-accounting;
                    service-filter-hit;
                    accept;
                }
            }
        }
    }
    policer 12M {
        filter-specific;
        logical-interface-policer;
        if-exceeding {
            bandwidth-limit 12m;
            burst-size-limit 3m;
        }
        then discard;
    }
}

 

From radius return the attribute for subscriber during authentication phase.

 

test     Cleartext-Password := "test"
         ERX-Ingress-Policy-Name = "12M",
         ERX-Egress-Policy-Name = "12M",

 

Please let me the specific services you're looking so i can help you better Smiley Happy

 

Regards,

Rahul N

Routing

Re: Controlling PPP Users

‎10-31-2017 04:59 AM

Hi Rahul,

 

As always, thank you for the information:

 

We are using L2TP and PPP for authenticaiton, but I have been given a remit for our RADIUS or LNS to define customer requirements (this is a small ISP I am designing and configuring, but for approxiamtely 16,000 customers).....

 

Requirements can be, but not limited to:

Routing options (what route the customer must use)

QoS or CoS (Bandwidth attributes)

What LNS (we have 2) should we inform the LAC the customer should use

Static IPv6 and IPv4 Address assignment to CPE ( We will supply fully managed CPE to customer)

 

Without sitting around a table with the Directors, I cannot say exactly what we will require, but the above is a definate.

 

Thank you Rahul...

Routing

Re: Controlling PPP Users

[ Edited ]
‎10-31-2017 05:58 AM

Hi,

You need to modify the dynamic-profile to support  CoS and IPv6.

I assume you will be using NDRA and DHCPv6 PD [WAN and LAN]

 

For CoS, you need below attribute to be pushed from radius.

 

test    Cleartext-Password := "test"
        ERX-CoS-Shaping-Pmt-Type += "T01 SCHEDULER-MAP-TEST",
        ERX-CoS-Shaping-Pmt-Type += "T02 20m"

 

LNS# show dynamic-profiles dyn-lns-profile | no-more
interfaces {
    "$junos-interface-ifd-name" {
        unit "$junos-interface-unit" {
            dial-options {
                l2tp-interface-id l2tp-encapsulation;
            }
            family inet {
                unnumbered-address "$junos-loopback-interface";
            }
            family inet6 {
                unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}
protocols {
    router-advertisement {
        interface "$junos-interface-name" {
            prefix $junos-ipv6-ndra-prefix;
        }
    }
}
class-of-service {
    traffic-control-profiles {
        TEST {
            scheduler-map "$junos-cos-scheduler-map";
            shaping-rate "$junos-cos-shaping-rate";
        }
    }
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-interface-unit" {
                output-traffic-control-profile TEST;
            }
        }
    }
    scheduler-maps {
        SCHEDULER-MAP-TEST {
            forwarding-class BE scheduler SCHEDULER-BE;
            forwarding-class NC scheduler SCHEDULER-NC;
            forwarding-class AF scheduler SCHEDULER-AF;
            forwarding-class EF scheduler SCHEDULER-EF;
        }
    }
    schedulers {
        SCHEDULER-BE {
            transmit-rate percent 30;
            priority low;
        }
        SCHEDULER-AF {
            transmit-rate percent 20;
            priority high;
        }
        SCHEDULER-NC {
            transmit-rate percent 20;
            priority high;
        }
        SCHEDULER-EF {
            shaping-rate percent 30 burst-size 2k;
            priority strict-high;
        }
    }
}

 

DHCPv6 PD

 

LNS# show system services
dhcp-local-server {
    dhcpv6 {
        overrides {
            process-inform;
        }
        group DHCPv6_LOCAL {
            overrides {
                delegated-pool PD;
            }
            interface si-0/0/0.0;
        }
    }

 

ACCESS

 

{master}[edit access]
LNS# show
 address-assignment {
    neighbor-discovery-router-advertisement NDRA;
    pool PD {
        family inet6 {
            prefix XXX:XXXX:YYYY::/48;
            range 2 prefix-length 64;
        }
    }
    pool NDRA {
        family inet6 {
            prefix XXX:YYYY:ZZZZ::/48;
            range p1 prefix-length 64;
        }
    }
}

 

NOTE: NDRA/PD can be assigned fby radius like we assign framed-address for IPv4.

 

For choosing LNS from LAC, LAC can use username,domain-map etc. It depends what LAC want to use.

 

Routing-option part is not cleared. For every subscriber there will be access-internal route created. Can you please explain in brief?

 

Regards,

Rahul N

Routing

Re: Controlling PPP Users

‎10-31-2017 09:11 AM

Hi Rahul

 

Thank you for the help again and the config. I'm really sorry but I will not be able to impliment and test this until tomorrow, but I will let you know the results. Again, very kind of you and thank you.

Highlighted
Routing

Re: Controlling PPP Users

[ Edited ]
‎11-02-2017 01:47 AM

Hi Rahul,

 

Many apologies. I had forgotten I had a holiday yesterday...... will attempt to test today and let you know the results.


With regards to the seciton that says the RADIUS must push out the following:

 

test                  Cleartext-Password := "test"

                         ERX-CoS-Shaping-Pmt-Type += "T01 SCHEDULER-MAP-TEST",

                         ERX-CoS-Shaping-Pmt-Type += "T02 20m"

 

Is that placed in the NAS entry in clients.conf on the RADIUS server under /etc/raddb ?

 

Also, the LAC will have no option with choosing the LNS. We have to supply the LAC with that information.... but from where?

 

Routing : I think I can work that seciton out as we go along. The big problem at the moment is that I only have the following (as a complete test and connected to nothing external):

 

Cisco 1841 (PPP Client) --> Cisco 1841 (LAC) --> Juniper MX240 (LNS) --> Juniper MX240 (Core) --> Juniper SRX1500 (Basic any any any rule base currently) --> RADIUS

 

So, we do not have any access to any external wholesale ISP. Once the equipment is in situ then we can test fully the implimentations.

 

Thanks

 

Routing
Solution
Accepted by topic author adgwytc
‎11-15-2017 07:53 AM

Re: Controlling PPP Users

‎11-02-2017 03:18 AM

Hi,

 

NAS should be defined under clients.conf

client XX.XX.XX.XX  {
        secret  = XXXXX
        shortname = MX104
}

 

Attribute should be defined under file users.

 

test                  Cleartext-Password := "test"

                         ERX-CoS-Shaping-Pmt-Type += "T01 SCHEDULER-MAP-TEST",

                         ERX-CoS-Shaping-Pmt-Type += "T02 20m"

 

Both the files is under /etc/raddb.

 

LAC can use username, domain-map to choose LNS as mentioned earlier.

 

Regards,

Rahul N

Routing

Re: Controlling PPP Users

‎03-07-2018 11:48 AM

Hello,

 

How do I control the bandwidth of pppoe clients in dual-stack IPv4 / IPv6?
I tested its configuration and only IPv4 was controlled.