---------- Forwarded message ---------- From: Marlon Duksa <[EMAIL PROTECTED]> Date: Mon, Sep 29, 2008 at 2:58 PM Subject: Re: [j-nsp] subscriber access on MX To: Christopher Hartley <[EMAIL PROTECTED]>
hmm, in this case below you have the authenticator hierarchy under dot1x. But I can't find anything similar in my case, something that would tell DHCP clients to be authenticated via radius. I have the radius server and profile under the access hierarchy but I don't know how to apply this to my dynamic profiles. In this below, where is the connection between the profile 'subs' (where I defined radius server) and my DHCP clients coming inon the access interfaces? access { radius-server { 114.0.1.10 secret "$9$4DZGi.PQ/9pTz9pB1rl4aZUk."; ## SECRET-DATA } profile subs { authentication-order radius; radius { authentication-server 114.0.1.10; } } } access-profile subs; forwarding-options { dhcp-relay { server-group { test { 10.0.0.100; } } group test1 { active-server-group test; dynamic-profile basic-profile; interface ge-0/0/0.1; interface ge-0/0/0.2; } } } dynamic-profiles { basic-profile { interfaces { "$junos-interface-ifd-name" { unit "$junos-underlying-interface-unit"; } } } } On Mon, Sep 29, 2008 at 1:07 PM, Christopher Hartley <[EMAIL PROTECTED]>wrote: > How about something like the following. Note that this is for an EX, > but it should be the same? > > I enabled system authentication-order radius so as to test prior to > enabling for > an authenticator.... EAP will pick your authentication mechanism. I'm > using > eapmd5... > > system { > ... > authentication-order [ radius password ]; > ... > radius-server { > <REMOVED> { > secret "<REMOVED>"; ## SECRET-DATA > source-address <REMOVED>; > } > } > ... > } > > [EMAIL PROTECTED]> show configuration protocols dot1x > traceoptions { > file dot1x-trace world-readable; # for debugging if necessary... > } > authenticator { > authentication-profile-name rad1; > interface { > ge-0/0/0.0 { > supplicant single-secure; > retries 5; > no-reauthentication; > server-timeout 30; > maximum-requests 10; > guest-vlan guest1; > } > } > } > > > I look forward to seeing your resolution.. > > >>> "Marlon Duksa" <[EMAIL PROTECTED]> 09/29/08 3:54 PM >>> > Hi, Does anyone know how to activate (apply) Radius authentication for > subscriber management on an MX node? > > I have subscribers configured for dynamic access through an external DHCP > server. > For some reason, I'm getting the DHCP address without being first > authenticated on MX through Radius. I'm monitoring my Radius server and no > requests for authentication are coming in at all. > > It looks like the dynamic AAA needs to be applied somewhere but I'm not > sure > where. The documentation (subscriber access) mention 'logical-systems' > hierarchy but this hierarchy does not exist on Junos 9.2. > > Here is my config: > > # these are dynamic-profiles that should be active on the access interfaces > dynamic-profiles { > basic-profile { > interfaces { > "$junos-interface-ifd-name" { > unit "$junos-underlying-interface-unit"; > } > } > } > } > > > # these two are the access interfaces > interfaces { > ge-0/0/0 { > vlan-tagging; > unit 1 { > vlan-id 1; > family inet { > unnumbered-address lo0.0 preferred-source-address 1.1.1.1; > } > } > unit 2 { > vlan-id 2; > family inet { > unnumbered-address lo0.0 preferred-source-address 1.1.1.1; > } > } > } > # this is dhcp -relay config and this works fine, I'm getting IP address > assigned > forwarding-options { > dhcp-relay { > server-group { > test { > 10.0.0.100; > } > } > group test1 { > active-server-group test; > interface ge-0/0/0.1; > interface ge-0/0/0.2; > } > } > } > > > # this is my Radius profile > access { > radius-server { > 114.0.1.10 secret "$9$4DZGi.PQ/9pTz9pB1rl4aZUk."; ## SECRET-DATA > } > profile subs { > authentication-order radius; > radius { > authentication-server 114.0.1.10; > } > } > } > > This is how I think should be applied > access-profile subs; > > > > > > Thanks, > Marlon > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp