JunosE 11.3.x Policy Management Configuration Guide
Configuring Router to Mirror Users Already Logged In
238
Configure the analyzer interface to send the mirrored traffic to the analyzer device.
2.
host1(config)#interface fastEthernet 4/0
host1(config-if)#ip analyzer
Alternatively, for increased security, create the analyzer interface at one end of an
IPSec tunnel to the analyzer device.
host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default
host1(config-if)#ip analyzer
host1(config-if)#exit
host1(config)#ip route 192.168.99.2 255.255.255.255 tunnel ipsec:mirror3
When a mirroring operation is initiated for a user who is already logged in (RADIUS-initiated
mirroring), the RADIUS server uses change-of-authorization messages and passes the
required RADIUS attributes and the identifier of the currently running session to the
E Series router. The router uses this information to create the secure policy and attaches
it to the interface that is created for the user. The E Series router must be configured to
accept change-of-authorization messages from the RADIUS server.
Specify the RADIUS dynamic-request server that sends change-of-authorization
1.
messages to the router, and enter RADIUS configuration mode.
host1(config)#radius dynamic-request server 192.168.11.0
Specify the UDP port used to communicate with the RADIUS server.
2.
host1(config-radius)#udp-port 3799
Create the key used to communicate with the RADIUS server.
3.
host1(config-radius)#key mysecret
Configure the router to receive change-of-authorization messages from the RADIUS
4.
server.
host1(config-radius)#authorization change
host1(config-radius)#exit
host1(config)#exit
Verify your RADIUS-initiated mirroring configuration.
5.
host1#show radius dynamic-request servers
RADIUS Request Configuration
----------------------------
Udp
IP Address
Port
-------------
----
10.10.3.4
3799
Configure the analyzer interface to send the mirrored traffic to the analyzer device.
6.
host1(config)#interface fastEthernet 4/0
host1(config-if)#ip analyzer
Change
Of
Disconnect
Authorization
----------
-------------
enabled
enabled
Copyright © 2010, Juniper Networks, Inc.
Secret
------
mysecret