Supporting Exchange Of Extensible Authentication Protocol Messages; Immediate Accounting Updates - Juniper JUNOSE SOFTWARE 11.2.X - BROADBAND ACCESS CONFIGURATION GUIDE 7-20-2010 Configuration Manual

JunosE 11.2.x Broadband Access Configuration Guide

Supporting Exchange of Extensible Authentication Protocol Messages

Immediate Accounting Updates

20
Extensible Authentication Protocol (EAP) is a protocol that supports multiple methods
for authenticating a peer before allowing network layer protocols to transmit over the
link. JunosE Software supports the exchange of EAP messages between JunosE
applications, such as PPP, and an external RADIUS authentication server.
The JunosE Software's AAA service accepts and passes EAP messages between the
JunosE application and the router's internal RADIUS authentication server. The internal
RADIUS authentication server, which is a RADIUS client, provides EAP pass-through—the
RADIUS client accepts the EAP messages from AAA, and sends the messages to the
external RADIUS server for authentication. The RADIUS client then passes the response
from the external RADIUS authentication server back to the AAA service, which then
sends a response to the JunosE application. The AAA service and the internal RADIUS
authentication service do not process EAP information—both simply act as pass-through
devices for the EAP message.
The router's local authentication server and TACACS+ authentication servers do not
support the exchange of EAP messages. These type of servers deny access if they receive
an authentication request from AAA that includes an EAP message. EAP messages do
not affect the none authentication configuration, which always grants access.
The local RADIUS authentication server uses the following RADIUS attributes when
exchanging EAP messages with the external RADIUS authentication server:
Framed-MTU (attribute 12)—Used if AAA passes an MTU value to the internal RADIUS
client
State (attribute 24)—Used in Challenge-Response messages from the external server
and returned to the external server on the subsequent Access-Request
Session-Timeout (attribute 27)—Used in Challenge-Response messages from the
external server
EAP-Message (attribute 79)—Used to fragment EAP strings into 253-byte fragments
(the RADIUS limit)
Message-Authenticator (attribute 80)—Used to authenticate messages that include
an EAP-Message attribute
For additional information on configuring PPP to use EAP authentication, see JunosE Link
Layer Configuration Guide .
You can use the aaa accounting immediate-update command to configure immediate
accounting updates on a per-VR basis. If you enable this feature, the E Series router sends
an Acct-Update message to the accounting server immediately on receipt of a response
(ACK or timeout) to the Acct-Start message.
This feature is disabled by default. Use the enable keyword to enable immediate updates
and the disable keyword to halt them.
Copyright © 2010, Juniper Networks, Inc.