Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual page 246

JUNOSe 11.1.x Policy Management Configuration Guide
ERX routers. See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for
information about modules supported on the E120 and E320 Broadband Services
Routers.
Comparing CLI-Based Mirroring and RADIUS-Based Mirroring
This section compares the characteristics of CLI-based and RADIUS-based mirroring
techniques. You can use CLI-based mirroring for both interface-specific and
user-specific mirroring; RADIUS-based mirroring is used for user-specific mirroring.
This section highlights differences in configuration, security, and application of the
CLI-based and RADIUS-based mirroring methods.
Configuration
This section describes differences in the configuration processes for CLI-based and
RADIUS-based mirroring:
Security
The following list highlights security features provided by CLI-based and RADIUS-based
mirroring:
220
Comparing CLI-Based Mirroring and RADIUS-Based Mirroring
CLI-based packet mirroring You use CLI commands to configure and manage
packet mirroring of specific interfaces and users. For interface-specific mirroring,
you enable the static configuration after the IP interface is created. The interface
method mirrors only the traffic on the specific interface.
In user-specific mirroring, authentication, authorization, and accounting (AAA)
uses RADIUS attributes as triggers to identify the user whose traffic is to be
mirrored. The mirroring session starts when the user logs in. If the user is already
logged in, AAA immediately starts the mirroring session when you enable packet
mirroring.
RADIUS-based packet mirroring This dynamic method uses RADIUS and
vendor-specific attributes (VSAs), rather than CLI commands, to identify a user
whose traffic is to be mirrored and to trigger the mirroring session. A RADIUS
administrator configures and enables the mirroring separate from the user's
session. You can use a single RADIUS server to provision packet-mirroring
operations on multiple E Series routers in a service provider's network.
There are two variations of RADIUS-based packet mirroring. For both types, the
mirroring feature is initiated without regard to the user location, router, interface,
or type of traffic.
User-initiated mirroring If the user is not currently logged in, the mirroring
session starts when the user logs in and is authenticated by RADIUS. The
user's Acct-Session-Id is the identification trigger.
RADIUS-initiated mirroring If the user is already logged in, the JUNOSe
RADIUS dynamic-request server uses RADIUS-initiated
change-of-authorization (CoA) messages to immediately start the mirroring
session when the packet mirroring is enabled.