Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] MX sends radius access-request with invalid NAS-Port-ID

0

0

Article ID: KB34868 KB Last Updated: 14 Aug 2019Version: 1.0
Summary:

This article illustrates how TPID value under 802.1Q header can cause an MX router to send radius access-request with invalid NAS-Port-ID.

Symptoms:

When TPID is set to 0x88a8, MX router treats the VLAN subscriber as a dual tag subscriber.

set interfaces ge-1/0/0 gigether-options ethernet-switch-profile tag-protocol-id 0x88a8

May 13 16:21:48 bbe_ifd_get_acf_profile: ifd = ge-1/0/0, vlan_type = 1, outer = 8, inner = 0
May 13 16:21:48 bbe_ifd_get_acf_profile: profile is Single-Tag-L2
May 13 16:21:48 bbe_autoconf_create_dvlan: found matching profile for ifd ge-1/0/0, profile name is Single-Tag-L2
May 13 16:21:48 bbe_autoconf_create_dvlan: vlan authentication credentials configured
May 13 16:21:48 bbe_autoconf_create_dvlan: auth_info->packet_types = 32, packet type = 8, authentication required
May 13 16:21:48 dhcp options: tot len 24
May 13 16:21:48 bbe_autoconf_create_session: Have auth_info
May 13 16:21:48 bbe_autoconf_create_session: authentication specific access_profile: test-access-L2
May 13 16:21:48 bbe_autoconf_create_session: mac address:
May 13 16:21:48 bbe_autoconf_create_session: Have mac address
May 13 16:21:48 bbe_autoconf_create_session: dhcp options: 57:;7:;May 13 16:21:48 bbe_autoconf_create_session: profile name: Single-Tag-L2$$01
May 13 16:21:48 bbe_autoconf_create_session: underlying interface: ge-1/0/0.32767
May 13 16:21:48 bbe_autoconf_create_session: physical interface: ge-1/0/0
May 13 16:21:48 bbe_autoconf_create_session: logical system: default
May 13 16:21:48 bbe_autoconf_create_session: routing instance: default
May 13 16:21:48 bbe_autoconf_create_session: username: test-access-QinQ:ge-1/0/0:8
May 13 16:21:48 bbe_autoconf_create_session: inner vlan tag: 0
May 13 16:21:48 bbe_autoconf_create_session: nas port type: 15
May 13 16:21:48 bbe_autoconf_create_session: No password
 
 
May 13 14:54:48.956078 authd_build_req_attr_list_from_sdb_data: The request list is from sdb
May 13 14:54:48.956117 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
May 13 14:54:48.956179  Performing domain-map check for session:45 with username:test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.956220 domain parse-direction:RtoL, domain-delimiter: "@" username:test-access-QinQ:ge-1/0/0:8 domain to map:
May 13 14:54:48.956256  Performing domain-map check for session:45 with username:test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.956304 Domain map lookup results for user:test-access-QinQ:ge-1/0/0:8, parsed domain:, mapped domain:default, session-id:45
May 13 14:54:48.956377 Finding a client snapshot session-id:45
May 13 14:54:48.956615 Creating SubscriberASTEntry for session-id:45, session name:test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.956699 : Found the access-profile in the SDB for session-id:45 access-profile: test-access-L2
May 13 14:54:48.956745 Bbe Domain Id found in the SDB for session-id:45
May 13 14:54:48.956791 PhyIfdName found in the SDB for session-id:45
May 13 14:54:48.956851 aaa ls:default aaa ri:default; target ls:default target ri: default
May 13 14:54:48.957500 setTargetRoutingContextdefault:default
May 13 14:54:48.957544 Access Profile Name is <test-access-L2> on LR/RI:default:default
May 13 14:54:48.957613 authd_build_radius_nas_port_and_id: nas-port-id-format order is disabled
May 13 14:54:48.957652 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
May 13 14:54:48.957704 authd_get_auth_request_nas_attr: No Agent Circuit ID attribute from SDB
May 13 14:54:48.957745 authd_get_auth_request_nas_attr: No Agent Remote ID attribute from SDB
May 13 14:54:48.957783 authd_get_auth_request_nas_attr: No interface SVLAN attribute from SDB
May 13 14:54:48.957824 authd_get_auth_request_nas_attr: No interface ATM VPI attribute from SDB
May 13 14:54:48.957861 authd_get_auth_request_nas_attr: No interface ATM VCI attribute from SDB
May 13 14:54:48.957900 authd_get_auth_request_nas_attr: Recovered from SDB - VPI:-1 VCI:-1 NasPortType:15
May 13 14:54:48.958231 authd_get_interface_nas_port_options Interface Radius-Options for Interface ge-1/0/0 not found
May 13 14:54:48.958299 authd_get_interface_description:  interface name attribute not available from SDB
May 13 14:54:48.958403 authd_get_interface_description:  interface name attribute not available from SDB
May 13 14:54:48.958457 authd_build_radius_nas_port_and_id: NASPortID = ge-1/0/0.32767:0, NASPort = 10000000, CallingStationID =
May 13 14:54:48.958538 Finding a client snapshot session-id:45
May 13 14:54:48.958672 Setting multi-acct-session-id to 0
May 13 14:54:48.958719 setAccountingInfo: test-access-L2
May 13 14:54:48.958761 setAccountingInfo: service accounting order 0
May 13 14:54:48.958798 updateCoaDynamicVariableValidation coaValidation: 0
May 13 14:54:48.958863 JSRC: NOT calling jsrc restore function: - notify off - jsrc id empty
May 13 14:54:48.958909 Bundle session id not found, setting to NULL
May 13 14:54:48.958946 multi-acct-session-id set to 0
May 13 14:54:48.958995 access profile: test-access-L2
May 13 14:54:48.959033 On-demand IP address set to 0
May 13 14:54:48.959089 UserAccess:test-access-QinQ:ge-1/0/0:8 session-id:45 Access-profile:test-access-L2 Multi-Acct-Session-Id:0
May 13 14:54:48.959129 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(), username=()
May 13 14:54:48.959190 AuthFsm::current state=AuthInit(0) event=1 astEntry=0x30be06c aaa msg=0x25be5e8 session-id:45
May 13 14:54:48.959242 ###################################################################
May 13 14:54:48.959275 ########################### AUTH REQ RCVD #########################
May 13 14:54:48.959307 ###################################################################
May 13 14:54:48.959338 Auth-FSM: Process Auth-Request for session-id:45
May 13 14:54:48.959377 Framework: Starting authentication
May 13 14:54:48.959415 authd_advance_module_for_aaa_request_msg: result:0
May 13 14:54:48.959456 Authd module start session-id:45
May 13 14:54:48.959488 authd_radius_start_auth: Starting RADIUS authentication session-id:45
May 13 14:54:48.959584 authd_radius_build_basic_auth_request: session-id:45 profile=test-access-L2, username=test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.959627 radius-access-request: User-Name added: test-access-QinQ:ge-1/0/0:8
May 13 14:54:48.959662 radius-access-request: User-Password added: ""
May 13 14:54:48.959732 radius-access-request: Service-Type added: 2
May 13 14:54:48.959808 radius-access-request: Chargeable-User-Identity added:
May 13 14:54:48.959869 radius-access-request: Acct-Session-Id added: 45
May 13 14:54:48.959947 radius-access-request: DHCP-Options (Juniper-ERX-VSA) added: 35 01 01 37 07 01 03 08 37 3a 3b 52 08 04 16 16 16 16 37 04 01 03 3a 3b
May 13 14:54:48.960017 radius-access-request: DHCP-MAC-Address (Juniper-ERX-VSA) added: 0027.0100.0001
May 13 14:54:48.960079 radius-access-request: NAS-Identifier added: jtac-mx5-t-r2003
May 13 14:54:48.960132 radius-access-request: NAS-Port added: 10 00 00 00
May 13 14:54:48.960175 radius-access-request: NAS-Port-Id added: ge-1/0/0.32767:0
May 13 14:54:48.960221 radius-access-request: NAS-Port-Type added: 15
May 13 14:54:48.960285 radius-access-request: PPPoE-Description (Juniper-ERX-VSA) added: pppoe 00:27:01:00:00:01
May 13 14:54:48.960681 authd_create_application_specific_radius_server: Evaluating RADIUS server 10.219.48.248 to add to the server list
May 13 14:54:48.960723 Evaluating RADIUS server 10.219.48.248 to add to the server list
May 13 14:54:48.960760 Verify source address adb1791 in routing instance index=0
May 13 14:54:48.960872 authd_radius_server_add: server 10.219.48.248 retry 3, timeout 10

Learn more on NAS-PORT-ID format.

Solution:

This is expected behavior. 0x88a8 is used in Q-in-Q scenario.

0x8100     VLAN-tagged frame
0x88A8     Provider Bridging

set interfaces ge-1/0/0 gigether-options ethernet-switch-profile tag-protocol-id 0x8100

smg-service traceoption

May 13 16:23:30 bbe_ifd_get_acf_profile: ifd = ge-1/0/0, vlan_type = 1, outer = 8, inner = 0
May 13 16:23:30 bbe_ifd_get_acf_profile: profile is Single-Tag-L2
May 13 16:23:30 bbe_autoconf_create_dvlan: found matching profile for ifd ge-1/0/0, profile name is Single-Tag-L2
May 13 16:23:30 bbe_autoconf_create_dvlan: vlan authentication credentials configured
May 13 16:23:30 bbe_autoconf_create_dvlan: auth_info->packet_types = 32, packet type = 8, authentication required
May 13 16:23:30 dhcp options: tot len 24
May 13 16:23:30 bbe_autoconf_create_session: Have auth_info
May 13 16:23:30 bbe_autoconf_create_session: authentication specific access_profile: test-access-L2
May 13 16:23:30 bbe_autoconf_create_session: mac address:
May 13 16:23:30 bbe_autoconf_create_session: Have mac address
May 13 16:23:30 bbe_autoconf_create_session: dhcp options: 57:;7:;May 13 16:23:30 bbe_autoconf_create_session: profile name: Single-Tag-L2$$01
May 13 16:23:30 bbe_autoconf_create_session: underlying interface: ge-1/0/0.32767
May 13 16:23:30 bbe_autoconf_create_session: physical interface: ge-1/0/0
May 13 16:23:30 bbe_autoconf_create_session: logical system: default
May 13 16:23:30 bbe_autoconf_create_session: routing instance: default
May 13 16:23:30 bbe_autoconf_create_session: username: test-access-L2:ge-1/0/0:8
May 13 16:23:30 bbe_autoconf_create_session: vlan id: 8
May 13 16:23:30 bbe_autoconf_create_session: nas port type: 15
May 13 16:23:30 bbe_autoconf_create_session: No password
 
*** authd ***

May 13 14:51:32.671243 Process/Dispatch Client Message
May 13 14:51:32.671322 New Process/Dispatch Client Message
May 13 14:51:32.671373 authd_tlv_build_list_from_struct username l =1 offset =56
May 13 14:51:32.671410 authd_tlv_build_list_from_struct profile l =1 offset =57
May 13 14:51:32.671445 authd_tlv_build_list_from_struct password l =1 offset =58
May 13 14:51:32.671482 authd_auth_aaa_msg_create: num_of_tlvs:0 tot_num_of_tlv:0
May 13 14:51:32.671524 authd_auth_aaa_msg_create: profile:()
May 13 14:51:32.671561 Process Request
May 13 14:51:32.671602 SEQ RecvClientMsg:dvlan-client session-id:44 Opcode:1, Subcode:0 (ACCESS_REQUEST)
May 13 14:51:32.671645 Taking a client snapshot, session-id:44
May 13 14:51:32.671730 getSubscriberAaaOptionsName
May 13 14:51:32.671779 authd_build_req_attr_list_from_sdb_data: The request list is from sdb
May 13 14:51:32.671817 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
May 13 14:51:32.671880  Performing domain-map check for session:44 with username:test-access-L2:ge-1/0/0:8
May 13 14:51:32.671921 domain parse-direction:RtoL, domain-delimiter: "@" username:test-access-L2:ge-1/0/0:8 domain to map:
May 13 14:51:32.671957  Performing domain-map check for session:44 with username:test-access-L2:ge-1/0/0:8
May 13 14:51:32.672004 Domain map lookup results for user:test-access-L2:ge-1/0/0:8, parsed domain:, mapped domain:default, session-id:44
May 13 14:51:32.672077 Finding a client snapshot session-id:44
May 13 14:51:32.672282 Creating SubscriberASTEntry for session-id:44, session name:test-access-L2:ge-1/0/0:8
May 13 14:51:32.672364 : Found the access-profile in the SDB for session-id:44 access-profile: test-access-L2
May 13 14:51:32.672409 Bbe Domain Id found in the SDB for session-id:44
May 13 14:51:32.672454 PhyIfdName found in the SDB for session-id:44
May 13 14:51:32.672518 aaa ls:default aaa ri:default; target ls:default target ri: default
May 13 14:51:32.672568 setTargetRoutingContextdefault:default
May 13 14:51:32.672610 Access Profile Name is <test-access-L2> on LR/RI:default:default
May 13 14:51:32.672673 authd_build_radius_nas_port_and_id: nas-port-id-format order is disabled
May 13 14:51:32.672710 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
May 13 14:51:32.672762 authd_get_auth_request_nas_attr: No Agent Circuit ID attribute from SDB
May 13 14:51:32.672802 authd_get_auth_request_nas_attr: No Agent Remote ID attribute from SDB
May 13 14:51:32.672840 authd_get_auth_request_nas_attr: No interface SVLAN attribute from SDB
May 13 14:51:32.672879 authd_get_auth_request_nas_attr: No interface ATM VPI attribute from SDB
May 13 14:51:32.672917 authd_get_auth_request_nas_attr: No interface ATM VCI attribute from SDB
May 13 14:51:32.673269 authd_get_auth_request_nas_attr: Recovered from SDB - VPI:-1 VCI:-1 NasPortType:15
May 13 14:51:32.673355 authd_get_interface_nas_port_options Interface Radius-Options for Interface ge-1/0/0 not found
May 13 14:51:32.673411 authd_get_interface_description:  interface name attribute not available from SDB
May 13 14:51:32.673560 authd_get_interface_description:  interface name attribute not available from SDB
May 13 14:51:32.673617 authd_build_radius_nas_port_and_id: NASPortID = ge-1/0/0.32767:8, NASPort = 10000008, CallingStationID =
May 13 14:51:32.673702 Finding a client snapshot session-id:44
May 13 14:51:32.673859 Setting multi-acct-session-id to 0
May 13 14:51:32.673906 setAccountingInfo: test-access-L2
May 13 14:51:32.673947 setAccountingInfo: service accounting order 0
May 13 14:51:32.673985 updateCoaDynamicVariableValidation coaValidation: 0
May 13 14:51:32.674052 JSRC: NOT calling jsrc restore function: - notify off - jsrc id empty
May 13 14:51:32.674097 Bundle session id not found, setting to NULL
May 13 14:51:32.674134 multi-acct-session-id set to 0
May 13 14:51:32.674177 access profile: test-access-L2
May 13 14:51:32.674214 On-demand IP address set to 0
May 13 14:51:32.674268 UserAccess:test-access-L2:ge-1/0/0:8 session-id:44 Access-profile:test-access-L2 Multi-Acct-Session-Id:0
May 13 14:51:32.674307 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(), username=()
May 13 14:51:32.674366 AuthFsm::current state=AuthInit(0) event=1 astEntry=0x30be06c aaa msg=0x25be06c session-id:44
May 13 14:51:32.674414 ###################################################################
May 13 14:51:32.674447 ########################### AUTH REQ RCVD #########################
May 13 14:51:32.674479 ###################################################################
May 13 14:51:32.674514 Auth-FSM: Process Auth-Request for session-id:44
May 13 14:51:32.674555 Framework: Starting authentication
May 13 14:51:32.674593 authd_advance_module_for_aaa_request_msg: result:0
May 13 14:51:32.674633 Authd module start session-id:44
May 13 14:51:32.674665 authd_radius_start_auth: Starting RADIUS authentication session-id:44
May 13 14:51:32.674763 authd_radius_build_basic_auth_request: session-id:44 profile=test-access-L2, username=test-access-L2:ge-1/0/0:8
May 13 14:51:32.674806 radius-access-request: User-Name added: test-access-L2:ge-1/0/0:8
May 13 14:51:32.674840 radius-access-request: User-Password added: ""
May 13 14:51:32.674912 radius-access-request: Service-Type added: 2
May 13 14:51:32.674985 radius-access-request: Chargeable-User-Identity added:
May 13 14:51:32.675043 radius-access-request: Acct-Session-Id added: 44
May 13 14:51:32.675119 radius-access-request: DHCP-Options (Juniper-ERX-VSA) added: 35 01 01 37 07 01 03 08 37 3a 3b 52 08 04 16 16 16 16 37 04 01 03 3a 3b
May 13 14:51:32.675182 radius-access-request: DHCP-MAC-Address (Juniper-ERX-VSA) added: 0027.0100.0001
May 13 14:51:32.675242 radius-access-request: NAS-Identifier added: jtac-mx5-t-r2003
May 13 14:51:32.675293 radius-access-request: NAS-Port added: 10 00 00 08
May 13 14:51:32.675335 radius-access-request: NAS-Port-Id added: ge-1/0/0.32767:8
May 13 14:51:32.675381 radius-access-request: NAS-Port-Type added: 15
May 13 14:51:32.675445 radius-access-request: PPPoE-Description (Juniper-ERX-VSA) added: pppoe 00:27:01:00:00:01


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search