Table 53: Radius-Based Mirroring Attributes - Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual

Table 53: RADIUS-Based Mirroring Attributes

An LI-Action setting of 2 specifies that the router does not perform any packet
mirroring–related configuration. This setting can provide additional security by
confusing unauthorized users who attempt to access packet mirroring communication
between the router and the RADIUS server.
RADIUS-Based Packet Mirroring Dynamically Created Secure Policies
RADIUS-based packet mirroring uses dynamically created secure policies, which are
based on the RADIUS VSAs that an authorized RADIUS administrator creates. A policy
is created when the packet mirroring action is initiated at the RADIUS server, and
then applied to the interface that is dynamically created for the user. When the
mirroring operation is disabled, the secure policy is deleted.
The E Series router creates a name for the dynamically created policies the name
consists of the string spl followed by a hexadecimal integer, such as spl_88000008.
The name is displayed by the show secure policy-list command.
RADIUS-Based Packet Mirroring MLPPP Sessions
When you use RADIUS-based packet mirroring on MLPPP traffic, RADIUS
authentication and authorization is performed on the individual links. The
mirroring-related VSAs are returned with the RADIUS response. For user-initiated
mirroring, which starts when the user logs in, a RADIUS response is returned for
each successful authentication/authorization. For RADIUS-initiated mirroring of a
user who is already logged in, a single RADIUS request is sent for each link.
Standard Number Attribute Name
[26-58] LI-Action
[26-59] Med-Dev-Handle
[26-60] Med-IP-Address
[26-61] Med-Port-Number
If you are mirroring an L2TP session, the packet-mirroring operation is enabled
or disabled on a single link that is uniquely identified by the trigger you use (the
RADIUS attributes for Acct-Session-ID or User-Name). For tunneled MLPPP, the
individual links in the MLPPP bundle are mirrored separately. The
packet-mirroring configuration fails if you use the Acct-Multi-Session-ID attribute
(RADIUS attribute 50) for the configuration.
If you are mirroring an IP session, the packet-mirroring operation is enabled or
disabled on the MLPPP bundle as a whole. We recommend that you use the
Account-Session-ID RADIUS attribute rather than the User-Name attribute as the
trigger. Using the Account-Session-ID attribute is more efficient because the
RADIUS-Based Packet Mirroring Dynamically Created Secure Policies
Chapter 12: Configuring RADIUS-Based Mirroring
Setting
0 = disable mirroring
1 = enable mirroring
2 = no action
String (not null-terminated)
IP address of analyzer device
UDP port number of monitoring
application in analyzer device
241