Considerations For Using The Llid; Configuring The Router To Obtain The Llid For A Subscriber - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12 Configuration Manual

JunosE 11.3.x Broadband Access Configuration Guide

Considerations for Using the LLID

Configuring the Router to Obtain the LLID for a Subscriber

76
Table 5: RADIUS IETF Attributes in Preauthentication Request
(continued)
Attribute
Number Attribute Name
[87] NAS-Port-Id
The use of radius commands such as radius calling-station-format or radius override
calling-station-id to control or change the inclusion of these attributes in the
preauthentication request has no effect.
For more information about these attributes, see "RADIUS IETF Attributes" on page 255.
The following considerations apply when you configure the router for subscriber
preauthentication:
Only PPP subscribers authenticating through RADIUS can use the AAA LLID feature
on the router. PPP subscribers tunneled through domain maps cannot take advantage
of this feature.
The Calling-Station-Id [31] attribute is typically sent in RADIUS Access-Request
messages, not in Access-Accept messages as is the case for this feature. As a result,
your RADIUS server might require special configuration procedures to enable the
Calling-Station-Id attribute to be returned in Access-Accept messages. See the
documentation that came with your RADIUS server for information.
The router ignores any RADIUS attributes other than the Calling-Station-Id that are
returned in the preauthentication Access-Accept message.
If a preauthentication request fails due to misconfiguration of the preauthentication
server, timeout of the preauthentication server, or rejection of the preauthentication
request by the preauthentication server, the authentication process continues normally
and the preauthentication request is ignored.
The router preserves the LLID value for established subscribers after a stateful SRP
switchover.
The radius rollover-on-reject enable command has no effect for a RADIUS
preauthentication server. That is, you cannot use the radius rollover-on-reject enable
command to configure the router to roll over to the next RADIUS preauthentication
server when the router receives an Access-Reject message for the user it is
authenticating. For information, see "radius rollover-on-reject" on page 32.
To configure the router to obtain the LLID for a subscriber:
Create an AAA profile that supports subscriber preauthentication.
1.
host1(config)#aaa profile preAuthLlid
Description
Text string that identifies the physical interface of the NAS
that is authenticating the user; for example,
atm 4/1.104:2.104
Copyright © 2010, Juniper Networks, Inc.