Outgoing Call Setup Details; Access-Request Message; Access-Accept Message - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12 Configuration Manual

JunosE 11.3.x Broadband Access Configuration Guide

Outgoing Call Setup Details

414
Table 77: Session Operational States (continued)
State Description
pending A session enters the pending state when a valid trigger is received but there
already are the maximum number of connecting sessions in the router. The
router discards all subsequent trigger packets until other sessions transition
out of the connecting state. When this happens, pending sessions can
transition to the dormant state.
failed A session enters the failed state when the router detects a configuration error
that prevents the successful operation of the session. Specifically, one of the
final steps in a dial-out request is mutual PPP authentication at the LNS. A
side-effect of authentication is the installation of an access route for the
outgoing call. If the access route does not correspond to the trigger packet
(that is, the trigger packet cannot be routed successfully by the new access
route), the router detects this discrepancy as a configuration error because
trigger packets that arrive are not forwarded into the outgoing call; rather,
they are buffered or discarded.
The only way to exit the failed state is with the l2tp dial-out session reset
command.
This section details the process described in "Dial-Out Process" on page 411.

Access-Request Message

To create the username in the authentication request, the router uses the trigger, dial-out
route, domain name, and optional Multiprotocol Label Switching (MPLS) route
distinguisher (RD). The username is constructed as follows:
[MPLS RD]/{trigger destination address}@domain-name
For example, given a dial-out route with an IP prefix of 10.10.0.0/16, a domain name of
L2TP-dial-out.de.dt, and an MPLS RD of 0.0.0.0:65000, if a trigger packet arrives with
a destination IP address of 10.10.1.1, the router creates the following username:
0.0.0.0:65000/10.10.1.1@L2TP-dial-out.de.dt
No password is offered, and the authentication request is passed to the S-series AAA
server for normal authentication processing.
Using the above example, the AAA domain map processes the L2TP-dial-out.de.dt
domain as for any other domain. If RADIUS authentication is configured for the
authenticating virtual router (VR) context, AAA passes the authentication request to the
E Series RADIUS client. The RADIUS authentication request is consistent with other
requests, except that the Service-Type attribute is set to outbound (value of 5).

Access-Accept Message

The router expects RADIUS attributes that define a tunnel to be returned with the additions
in Table 78 on page 415. If tunnel attributes are excluded from the Access-Accept message
or the returned Service-Type attribute is not set to outbound, the dial-out session is
denied.
Copyright © 2010, Juniper Networks, Inc.