Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR] Discarding Class Attribute values in Authentication response

0

0

Article ID: KB28409 KB Last Updated: 05 Mar 2017Version: 2.0
Summary:

This article describes how to discard two Class Attribute values that are not necessary for effective authentication when the Juniper E Series Broadband Remote Access Server (B-RAS) is configured to perform RADIUS Authentication and Accounting using the Steel-Belted Radius (SBR) Carrier. During the Authentication phase, it was found that two Class Attributes are included in the Authentication response sent to E Series Broadband Services Routers. According to a customer, these Class Attributes are not necessary and are a waste of resources.

Symptoms:

The goal is to optimize WAN utilization by removing unwanted Class Attributes from each Authentication response returned by the SBR Carrier to the RAS client and thereby from the Accounting request sent to the SBR Carrier by the RAS client.

According to RADIUS RFC 2865: "This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported."

As shown in the example below, the Authentication response contains the class attribute; thus, it is added to the subsequent Accounting request. This happens to every user auth/acct transaction, leading to unnecessary resource consumption.

09/05/2013 09:46:50.761 (22348): Authentication Response
09/05/2013 09:46:50.761 (22348): Packet Code=0x02 Id=0x6b
09/05/2013 09:46:50.761 (22348): Vector =
09/05/2013 09:46:50.761 (22348): 000: 5d eb fc 70 20 3b 27 fc 2d 37 2a e6 9b 44 1e 48 |]..p ;'.-7*..D.H|
09/05/2013 09:46:50.761 (22348): Class : String Value = SBR-CL DN="testsrc1@airtelbroadband.in" AT="200" TX="0x000000000605285200000002" VR="airtelbroadband.in"
09/05/2013 09:46:50.761 (22348): Class : String Value = VTA-2-81920-8192-150-0.1-R

09/05/2013 09:46:50.761 (22348): Framed-IP-Address : IPAddress = 122.160.131.4
09/05/2013 09:46:50.761 (22348): Framed-Route : String Value = 122.160.131.7/32 122.160.131.4
09/05/2013 09:46:50.761 (22348): -----------------------------------------------------------
09/05/2013 09:46:50.761 (22348): -----------------------------------------------------------


09/05/2013 09:46:50.904 (22344): Accounting Request
09/05/2013 09:46:50.904 (22344): Received from IpAddr=202.56.215.10 Port=50016
09/05/2013 09:46:50.904 (22344): Packet Code=0x04 Id=0xc2
09/05/2013 09:46:50.904 (22344): Client Name="TEST BRAS"
09/05/2013 09:46:50.904 (22344): Dictionary Name="unisphere.dct"
09/05/2013 09:46:50.904 (22344): Vector =
09/05/2013 09:46:50.904 (22344): 000: 2e 1d 54 3a 18 b4 93 a5 3d c3 96 98 11 03 1d f4 |..T:....=.......|
09/05/2013 09:46:50.904 (22344): Parsed Packet :
09/05/2013 09:46:50.904 (22344): Acct-Status-Type : Integer Value = 1
09/05/2013 09:46:50.904 (22344): User-Name : String Value = testsrc1@airtelbroadband.in
09/05/2013 09:46:50.904 (22344): Event-Timestamp : Integer Value = 1378354202
09/05/2013 09:46:50.904 (22344): Acct-Delay-Time : Integer Value = 0
09/05/2013 09:46:50.904 (22344): NAS-Identifier : String Value = bras-lab
09/05/2013 09:46:50.904 (22344): Acct-Session-Id : String Value = erx FastEthernet 4/0.2525:2525:0062918586
09/05/2013 09:46:50.904 (22344): NAS-IP-Address : IPAddress = 202.56.215.10
09/05/2013 09:46:50.904 (22344): Class : String Value = SBR-CL DN="testsrc1@airtelbroadband.in" AT="200" TX="0x000000000605285200000002" VR="airtelbroadband.in"
09/05/2013 09:46:50.904 (22344): Class : String Value = VTA-2-81920-8192-150-0.1-R

Cause:
 
Solution:

1. Edit the Vendor.ini located inside /opt/JNPRsbr/radius.
2. Locate the correct [Vendor-Product Identification] section for the Juniper E Series B-RAS.
3. Add the following entry: send-class-attribute = no
4. Restart the SBR service.

Note: If the send-class-attribute is set to No, the Class attribute is not sent to the client on the Access-Accept. (This feature is designed to accommodate devices that do not properly handle the Class attribute.). The default value is Yes.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search