Radius-Based Packet Mirroring Dynamically Created Secure Policies; Radius-Based Packet Mirroring Mlppp Sessions; Table 53: Radius-Based Mirroring Attributes - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual

RADIUS-Based Packet Mirroring Dynamically Created Secure Policies

RADIUS-Based Packet Mirroring MLPPP Sessions

Copyright © 2010, Juniper Networks, Inc.

Table 53: RADIUS-Based Mirroring Attributes

Standard Number Attribute Name
[26-58] LI-Action
[26-59] Med-Dev-Handle
[26-60] Med-IP-Address
[26-61] Med-Port-Number
An LI-Action setting of 2 specifies that the router does not perform any packet
mirroring–related configuration. This setting can provide additional security by confusing
unauthorized users who attempt to access packet mirroring communication between
the router and the RADIUS server.
RADIUS-based packet mirroring uses dynamically created secure policies, which are
based on the RADIUS VSAs that an authorized RADIUS administrator creates. A policy
is created when the packet mirroring action is initiated at the RADIUS server, and then
applied to the interface that is dynamically created for the user. When the mirroring
operation is disabled, the secure policy is deleted.
The E Series router creates a name for the dynamically created policies—the name
consists of the string spl followed by a hexadecimal integer, such as spl_88000008. The
name is displayed by the show secure policy-list command.
When you use RADIUS-based packet mirroring on MLPPP traffic, RADIUS authentication
and authorization is performed on the individual links. The mirroring-related VSAs are
returned with the RADIUS response. For user-initiated mirroring, which starts when the
user logs in, a RADIUS response is returned for each successful
authentication/authorization. For RADIUS-initiated mirroring of a user who is already
logged in, a single RADIUS request is sent for each link.
If you are mirroring an L2TP session, the packet-mirroring operation is enabled or
disabled on a single link that is uniquely identified by the trigger you use (the RADIUS
attributes for Acct-Session-ID or User-Name). For tunneled MLPPP, the individual links
in the MLPPP bundle are mirrored separately. The packet-mirroring configuration fails
if you use the Acct-Multi-Session-ID attribute (RADIUS attribute 50) for the
configuration.
If you are mirroring an IP session, the packet-mirroring operation is enabled or disabled
on the MLPPP bundle as a whole. We recommend that you use the Account-Session-ID
RADIUS attribute rather than the User-Name attribute as the trigger. Using the
Chapter 12: Configuring RADIUS-Based Mirroring
Setting
0 = disable mirroring
1 = enable mirroring
2 = no action
String (not null-terminated)
IP address of analyzer device
UDP port number of monitoring
application in analyzer device
235