Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual page 270

JUNOSe 11.1.x Policy Management Configuration Guide
Configuring the RADIUS Server
Table 53 on page 241 lists the VSAs that are included for both types of RADIUS-based
mirroring user-initiated (when the user logs in to start a new session), and
RADIUS-initiated (when the user is already logged in).
Disabling RADIUS-Based Mirroring
To disable mirroring, you include the RADIUS attribute (for example, Acct-Session-ID)
and set the Mirror-Action attribute to 0 in the mirrored user's RADIUS record.
You can also use the mirror disable CLI commands to disable RADIUS-based
mirroring. You must use the version of the mirror disable command that corresponds
to the RADIUS attribute that was used to identify the user. For example, if you used
the RADIUS Calling-Station-ID attribute to create the mirroring session, you must use
the mirror disable calling-station-id command to disable the session.
NOTE: All RADIUS-based mirroring sessions that start when a user logs in are
considered to use the Acct-Session-ID attribute. Therefore, you must use the mirror
disable acct-session-id command to disable these sessions. For RADIUS-based
sessions of a user that is already logged in, you use the mirror disable command
with the same keyword you used to configure the session.
Configuring the Analyzer Device
The analyzer device must be configured to receive the mirrored traffic from the E
Series router's analyzer interface. The analyzer interface directs mirrored traffic to
the specified analyzer device for analysis. You can configure the interface as the
virtual router's default analyzer interface. You cannot configure multiaccess interfaces,
such as IP over Ethernet, as default analyzer interfaces.
When mirroring an IP interface, the analyzer interface must reside in the same virtual
router as the mirrored interface. When mirroring an L2TP interface, the analyzer
interface must reside in the default virtual router.
NOTE: You must configure a static route to reach the analyzer device through the
analyzer interface. If the analyzer interface is an IP over Ethernet interface, you must
also configure a static Address Resolution Protocol (ARP) entry to reach the analyzer
device.
You can configure any type of IP interface on the E Series router as an analyzer
interface, except for special interfaces such as SRP interfaces, null interfaces, and
loopback interfaces. An interface cannot be both an analyzer interface and a mirrored
interface at the same time. A single analyzer interface can support multiple mirrored
interfaces.The receive side of the analyzer interface is disabled. All traffic attempting
to access the router through an analyzer interface is dropped.Analyzer interfaces
244
Configuring RADIUS-Based Mirroring