Knowledge Search


×
 

[Subscriber Management] MX sends radius access-request with invalid NAS-Port-ID

  [KB34868] Show Article Properties


Summary:

This article illustrates how TPID value under 802.1Q header can cause an MX router to send radius access-request with invalid NAS-Port-ID.

Symptoms:

When TPID is set to 0x88a8, MX router treats the VLAN subscriber as a dual tag subscriber.

set interfaces ge-1/0/0 gigether-options ethernet-switch-profile tag-protocol-id 0x88a8

May 13 16:21:48 bbe_ifd_get_acf_profile: ifd = ge-1/0/0, vlan_type = 1, outer = 8, inner = 0
May 13 16:21:48 bbe_ifd_get_acf_profile: profile is Single-Tag-L2
May 13 16:21:48 bbe_autoconf_create_dvlan: found matching profile for ifd ge-1/0/0, profile name is Single-Tag-L2
May 13 16:21:48 bbe_autoconf_create_dvlan: vlan authentication credentials configured
May 13 16:21:48 bbe_autoconf_create_dvlan: auth_info->packet_types = 32, packet type = 8, authentication required
May 13 16:21:48 dhcp options: tot len 24
May 13 16:21:48 bbe_autoconf_create_session: Have auth_info
May 13 16:21:48 bbe_autoconf_create_session: authentication specific access_profile: test-access-L2
May 13 16:21:48 bbe_autoconf_create_session: mac address:
May 13 16:21:48 bbe_autoconf_create_session: Have mac address
May 13 16:21:48 bbe_autoconf_create_session: dhcp options: 57:;7:;May 13 16:21:48 bbe_autoconf_create_session: profile name: Single-Tag-L2$$01
May 13 16:21:48 bbe_autoconf_create_session: underlying interface: ge-1/0/0.32767
May 13 16:21:48 bbe_autoconf_create_session: physical interface: ge-1/0/0
May 13 16:21:48 bbe_autoconf_create_session: logical system: default
May 13 16:21:48 bbe_autoconf_create_session: routing instance: default
May 13 16:21:48 bbe_autoconf_create_session: username: test-access-QinQ:ge-1/0/0:8
May 13 16:21:48 bbe_autoconf_create_session: inner vlan tag: 0
May 13 16:21:48 bbe_autoconf_create_session: nas port type: 15
May 13 16:21:48 bbe_autoconf_create_session: No password
 
 
May 13 14:54:48.956078 authd_build_req_attr_list_from_sdb_data: The request list is from sdb
May 13 14:54:48.956117 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
May 13 14:54:48.956179  Performing domain-map check for session:45 with username:test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.956220 domain parse-direction:RtoL, domain-delimiter: "@" username:test-access-QinQ:ge-1/0/0:8 domain to map:
May 13 14:54:48.956256  Performing domain-map check for session:45 with username:test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.956304 Domain map lookup results for user:test-access-QinQ:ge-1/0/0:8, parsed domain:, mapped domain:default, session-id:45
May 13 14:54:48.956377 Finding a client snapshot session-id:45
May 13 14:54:48.956615 Creating SubscriberASTEntry for session-id:45, session name:test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.956699 : Found the access-profile in the SDB for session-id:45 access-profile: test-access-L2
May 13 14:54:48.956745 Bbe Domain Id found in the SDB for session-id:45
May 13 14:54:48.956791 PhyIfdName found in the SDB for session-id:45
May 13 14:54:48.956851 aaa ls:default aaa ri:default; target ls:default target ri: default
May 13 14:54:48.957500 setTargetRoutingContextdefault:default
May 13 14:54:48.957544 Access Profile Name is <test-access-L2> on LR/RI:default:default
May 13 14:54:48.957613 authd_build_radius_nas_port_and_id: nas-port-id-format order is disabled
May 13 14:54:48.957652 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
May 13 14:54:48.957704 authd_get_auth_request_nas_attr: No Agent Circuit ID attribute from SDB
May 13 14:54:48.957745 authd_get_auth_request_nas_attr: No Agent Remote ID attribute from SDB
May 13 14:54:48.957783 authd_get_auth_request_nas_attr: No interface SVLAN attribute from SDB
May 13 14:54:48.957824 authd_get_auth_request_nas_attr: No interface ATM VPI attribute from SDB
May 13 14:54:48.957861 authd_get_auth_request_nas_attr: No interface ATM VCI attribute from SDB
May 13 14:54:48.957900 authd_get_auth_request_nas_attr: Recovered from SDB - VPI:-1 VCI:-1 NasPortType:15
May 13 14:54:48.958231 authd_get_interface_nas_port_options Interface Radius-Options for Interface ge-1/0/0 not found
May 13 14:54:48.958299 authd_get_interface_description:  interface name attribute not available from SDB
May 13 14:54:48.958403 authd_get_interface_description:  interface name attribute not available from SDB
May 13 14:54:48.958457 authd_build_radius_nas_port_and_id: NASPortID = ge-1/0/0.32767:0, NASPort = 10000000, CallingStationID =
May 13 14:54:48.958538 Finding a client snapshot session-id:45
May 13 14:54:48.958672 Setting multi-acct-session-id to 0
May 13 14:54:48.958719 setAccountingInfo: test-access-L2
May 13 14:54:48.958761 setAccountingInfo: service accounting order 0
May 13 14:54:48.958798 updateCoaDynamicVariableValidation coaValidation: 0
May 13 14:54:48.958863 JSRC: NOT calling jsrc restore function: - notify off - jsrc id empty
May 13 14:54:48.958909 Bundle session id not found, setting to NULL
May 13 14:54:48.958946 multi-acct-session-id set to 0
May 13 14:54:48.958995 access profile: test-access-L2
May 13 14:54:48.959033 On-demand IP address set to 0
May 13 14:54:48.959089 UserAccess:test-access-QinQ:ge-1/0/0:8 session-id:45 Access-profile:test-access-L2 Multi-Acct-Session-Id:0
May 13 14:54:48.959129 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(), username=()
May 13 14:54:48.959190 AuthFsm::current state=AuthInit(0) event=1 astEntry=0x30be06c aaa msg=0x25be5e8 session-id:45
May 13 14:54:48.959242 ###################################################################
May 13 14:54:48.959275 ########################### AUTH REQ RCVD #########################
May 13 14:54:48.959307 ###################################################################
May 13 14:54:48.959338 Auth-FSM: Process Auth-Request for session-id:45
May 13 14:54:48.959377 Framework: Starting authentication
May 13 14:54:48.959415 authd_advance_module_for_aaa_request_msg: result:0
May 13 14:54:48.959456 Authd module start session-id:45
May 13 14:54:48.959488 authd_radius_start_auth: Starting RADIUS authentication session-id:45
May 13 14:54:48.959584 authd_radius_build_basic_auth_request: session-id:45 profile=test-access-L2, username=test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.959627 radius-access-request: User-Name added: test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.959662 radius-access-request: User-Password added: ""
May 13 14:54:48.959732 radius-access-request: Service-Type added: 2
May 13 14:54:48.959808 radius-access-request: Chargeable-User-Identity added:
May 13 14:54:48.959869 radius-access-request: Acct-Session-Id added: 45
May 13 14:54:48.959947 radius-access-request: DHCP-Options (Juniper-ERX-VSA) added: 35 01 01 37 07 01 03 08 37 3a 3b 52 08 04 16 16 16 16 37 04 01 03 3a 3b
May 13 14:54:48.960017 radius-access-request: DHCP-MAC-Address (Juniper-ERX-VSA) added: 0027.0100.0001
May 13 14:54:48.960079 radius-access-request: NAS-Identifier added: jtac-mx5-t-r2003
May 13 14:54:48.960132 radius-access-request: NAS-Port added: 10 00 00 00
May 13 14:54:48.960175 radius-access-request: NAS-Port-Id added: ge-1/0/0.32767:0
May 13 14:54:48.960221 radius-access-request: NAS-Port-Type added: 15
May 13 14:54:48.960285 radius-access-request: PPPoE-Description (Juniper-ERX-VSA) added: pppoe 00:27:01:00:00:01
May 13 14:54:48.960681 authd_create_application_specific_radius_server: Evaluating RADIUS server 10.219.48.248 to add to the server list
May 13 14:54:48.960723 Evaluating RADIUS server 10.219.48.248 to add to the server list
May 13 14:54:48.960760 Verify source address adb1791 in routing instance index=0
May 13 14:54:48.960872 authd_radius_server_add: server 10.219.48.248 retry 3, timeout 10

Learn more on NAS-PORT-ID format.

Solution:

This is expected behavior. 0x88a8 is used in Q-in-Q scenario.

0x8100     VLAN-tagged frame
0x88A8     Provider Bridging

set interfaces ge-1/0/0 gigether-options ethernet-switch-profile tag-protocol-id 0x8100

smg-service traceoption

May 13 16:23:30 bbe_ifd_get_acf_profile: ifd = ge-1/0/0, vlan_type = 1, outer = 8, inner = 0
May 13 16:23:30 bbe_ifd_get_acf_profile: profile is Single-Tag-L2
May 13 16:23:30 bbe_autoconf_create_dvlan: found matching profile for ifd ge-1/0/0, profile name is Single-Tag-L2
May 13 16:23:30 bbe_autoconf_create_dvlan: vlan authentication credentials configured
May 13 16:23:30 bbe_autoconf_create_dvlan: auth_info->packet_types = 32, packet type = 8, authentication required
May 13 16:23:30 dhcp options: tot len 24
May 13 16:23:30 bbe_autoconf_create_session: Have auth_info
May 13 16:23:30 bbe_autoconf_create_session: authentication specific access_profile: test-access-L2
May 13 16:23:30 bbe_autoconf_create_session: mac address:
May 13 16:23:30 bbe_autoconf_create_session: Have mac address
May 13 16:23:30 bbe_autoconf_create_session: dhcp options: 57:;7:;May 13 16:23:30 bbe_autoconf_create_session: profile name: Single-Tag-L2$$01
May 13 16:23:30 bbe_autoconf_create_session: underlying interface: ge-1/0/0.32767
May 13 16:23:30 bbe_autoconf_create_session: physical interface: ge-1/0/0
May 13 16:23:30 bbe_autoconf_create_session: logical system: default
May 13 16:23:30 bbe_autoconf_create_session: routing instance: default
May 13 16:23:30 bbe_autoconf_create_session: username: test-access-L2:ge-1/0/0:8
May 13 16:23:30 bbe_autoconf_create_session: vlan id: 8
May 13 16:23:30 bbe_autoconf_create_session: nas port type: 15
May 13 16:23:30 bbe_autoconf_create_session: No password
 
*** authd ***

May 13 14:51:32.671243 Process/Dispatch Client Message
May 13 14:51:32.671322 New Process/Dispatch Client Message
May 13 14:51:32.671373 authd_tlv_build_list_from_struct username l =1 offset =56
May 13 14:51:32.671410 authd_tlv_build_list_from_struct profile l =1 offset =57
May 13 14:51:32.671445 authd_tlv_build_list_from_struct password l =1 offset =58
May 13 14:51:32.671482 authd_auth_aaa_msg_create: num_of_tlvs:0 tot_num_of_tlv:0
May 13 14:51:32.671524 authd_auth_aaa_msg_create: profile:()
May 13 14:51:32.671561 Process Request
May 13 14:51:32.671602 SEQ RecvClientMsg:dvlan-client session-id:44 Opcode:1, Subcode:0 (ACCESS_REQUEST)
May 13 14:51:32.671645 Taking a client snapshot, session-id:44
May 13 14:51:32.671730 getSubscriberAaaOptionsName
May 13 14:51:32.671779 authd_build_req_attr_list_from_sdb_data: The request list is from sdb
May 13 14:51:32.671817 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
May 13 14:51:32.671880  Performing domain-map check for session:44 with username:test-access-L2:ge-1/0/0:8
May 13 14:51:32.671921 domain parse-direction:RtoL, domain-delimiter: "@" username:test-access-L2:ge-1/0/0:8 domain to map:
May 13 14:51:32.671957  Performing domain-map check for session:44 with username:test-access-L2:ge-1/0/0:8
May 13 14:51:32.672004 Domain map lookup results for user:test-access-L2:ge-1/0/0:8, parsed domain:, mapped domain:default, session-id:44
May 13 14:51:32.672077 Finding a client snapshot session-id:44
May 13 14:51:32.672282 Creating SubscriberASTEntry for session-id:44, session name:test-access-L2:ge-1/0/0:8
May 13 14:51:32.672364 : Found the access-profile in the SDB for session-id:44 access-profile: test-access-L2
May 13 14:51:32.672409 Bbe Domain Id found in the SDB for session-id:44
May 13 14:51:32.672454 PhyIfdName found in the SDB for session-id:44
May 13 14:51:32.672518 aaa ls:default aaa ri:default; target ls:default target ri: default
May 13 14:51:32.672568 setTargetRoutingContextdefault:default
May 13 14:51:32.672610 Access Profile Name is <test-access-L2> on LR/RI:default:default
May 13 14:51:32.672673 authd_build_radius_nas_port_and_id: nas-port-id-format order is disabled
May 13 14:51:32.672710 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
May 13 14:51:32.672762 authd_get_auth_request_nas_attr: No Agent Circuit ID attribute from SDB
May 13 14:51:32.672802 authd_get_auth_request_nas_attr: No Agent Remote ID attribute from SDB
May 13 14:51:32.672840 authd_get_auth_request_nas_attr: No interface SVLAN attribute from SDB
May 13 14:51:32.672879 authd_get_auth_request_nas_attr: No interface ATM VPI attribute from SDB
May 13 14:51:32.672917 authd_get_auth_request_nas_attr: No interface ATM VCI attribute from SDB
May 13 14:51:32.673269 authd_get_auth_request_nas_attr: Recovered from SDB - VPI:-1 VCI:-1 NasPortType:15
May 13 14:51:32.673355 authd_get_interface_nas_port_options Interface Radius-Options for Interface ge-1/0/0 not found
May 13 14:51:32.673411 authd_get_interface_description:  interface name attribute not available from SDB
May 13 14:51:32.673560 authd_get_interface_description:  interface name attribute not available from SDB
May 13 14:51:32.673617 authd_build_radius_nas_port_and_id: NASPortID = ge-1/0/0.32767:8, NASPort = 10000008, CallingStationID =
May 13 14:51:32.673702 Finding a client snapshot session-id:44
May 13 14:51:32.673859 Setting multi-acct-session-id to 0
May 13 14:51:32.673906 setAccountingInfo: test-access-L2
May 13 14:51:32.673947 setAccountingInfo: service accounting order 0
May 13 14:51:32.673985 updateCoaDynamicVariableValidation coaValidation: 0
May 13 14:51:32.674052 JSRC: NOT calling jsrc restore function: - notify off - jsrc id empty
May 13 14:51:32.674097 Bundle session id not found, setting to NULL
May 13 14:51:32.674134 multi-acct-session-id set to 0
May 13 14:51:32.674177 access profile: test-access-L2
May 13 14:51:32.674214 On-demand IP address set to 0
May 13 14:51:32.674268 UserAccess:test-access-L2:ge-1/0/0:8 session-id:44 Access-profile:test-access-L2 Multi-Acct-Session-Id:0
May 13 14:51:32.674307 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(), username=()
May 13 14:51:32.674366 AuthFsm::current state=AuthInit(0) event=1 astEntry=0x30be06c aaa msg=0x25be06c session-id:44
May 13 14:51:32.674414 ###################################################################
May 13 14:51:32.674447 ########################### AUTH REQ RCVD #########################
May 13 14:51:32.674479 ###################################################################
May 13 14:51:32.674514 Auth-FSM: Process Auth-Request for session-id:44
May 13 14:51:32.674555 Framework: Starting authentication
May 13 14:51:32.674593 authd_advance_module_for_aaa_request_msg: result:0
May 13 14:51:32.674633 Authd module start session-id:44
May 13 14:51:32.674665 authd_radius_start_auth: Starting RADIUS authentication session-id:44
May 13 14:51:32.674763 authd_radius_build_basic_auth_request: session-id:44 profile=test-access-L2, username=test-access-L2:ge-1/0/0:8
May 13 14:51:32.674806 radius-access-request: User-Name added: test-access-L2:ge-1/0/0:8
May 13 14:51:32.674840 radius-access-request: User-Password added: ""
May 13 14:51:32.674912 radius-access-request: Service-Type added: 2
May 13 14:51:32.674985 radius-access-request: Chargeable-User-Identity added:
May 13 14:51:32.675043 radius-access-request: Acct-Session-Id added: 44
May 13 14:51:32.675119 radius-access-request: DHCP-Options (Juniper-ERX-VSA) added: 35 01 01 37 07 01 03 08 37 3a 3b 52 08 04 16 16 16 16 37 04 01 03 3a 3b
May 13 14:51:32.675182 radius-access-request: DHCP-MAC-Address (Juniper-ERX-VSA) added: 0027.0100.0001
May 13 14:51:32.675242 radius-access-request: NAS-Identifier added: jtac-mx5-t-r2003
May 13 14:51:32.675293 radius-access-request: NAS-Port added: 10 00 00 08
May 13 14:51:32.675335 radius-access-request: NAS-Port-Id added: ge-1/0/0.32767:8
May 13 14:51:32.675381 radius-access-request: NAS-Port-Type added: 15
May 13 14:51:32.675445 radius-access-request: PPPoE-Description (Juniper-ERX-VSA) added: pppoe 00:27:01:00:00:01


Related Links: