Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber-Management] How to limit subscribers per username per access-profile

0

0

Article ID: KB34895 KB Last Updated: 20 Feb 2020Version: 2.0
Summary:

In some network scenarios, there may be a need to prevent sharing of credentials and BBE service providers may want to control the number of sessions per username per access-profile that should be serviced.

Even though the number of sessions per username can be limited at the RADIUS server level, some customers want this done locally at the BNG level so that when the number of subscriber sessions per username per access-profile reaches the configured limit, any subsequent login attempts with the same username or access-profile will be rejected.

This article illustrates how to limit subscribers per username per access-profile.

Note: This feature is applicable to all types of broadband clients (PPP, DHCP and so on) and access models.

Solution:

Users can enable/disable this feature as required and specify the number of allowed sessions by using the session-limit-per-username configuration knob. This feature is supported from Junos OS release 18.4R1. The default behavior is unlimited number of sessions per username on MX Series routers.

Configuration

PPPOE {
    interfaces {
        pp0 {
            unit "$junos-interface-unit" {
                no-traps;
                ppp-options {
                    pap;
                }
                pppoe-options {
                    underlying-interface "$junos-underlying-interface";
                    server;
                }
                keepalives interval 30;
                family inet {
                    unnumbered-address lo0.0;
                }
            }
        }
    }
}

labroot@jtac-mx480-r2046> show configuration access              

radius-server {
    10.219.48.248 {
        port 1812;
        accounting-port 1813;
        secret "$ABC123"; ## SECRET-DATA
        timeout 30;
        source-address 10.219.36.230;
    }
}
profile AAA {
    authentication-order radius;
    session-limit-per-username 1;
    radius {
        authentication-server 10.219.48.248;
    }
}
profile local {
    authentication-order none;
}
address-assignment {
    pool TEST {
        family inet {
            network 10.10.10.0/24;
            range ABC {
                low 10.10.10.1;
                high 10.10.10.254;
            }
        }
    }
}

In the above configuration, the number of sessions per username is limited to 1.

Now dial 10 subscribers by using the same username. Of the 10 subscribers, 9 will be rejected and only 1 will be allowed.

labroot@jtac-mx480-r2046> show network-access aaa statistics session-limit-per-username detail  

  Username              Access-profile      Blocked requests      Session count
  test@test.com         AAA                 9                     1           

labroot@jtac-mx480-r2046> show network-access aaa statistics session-limit-per-username         

  Total blocked requests: 9 <<< Rejected subscriber session login requests because session-limit-per-username was exceeded
  Total usernames exceeding session limit: 1
  Total usernames: 1

For the blocked subscribers, authd will print the following logs:

*** authd ***

Aug 19 11:00:22.640028 Process/Dispatch Client Message
Aug 19 11:00:22.640057 New Process/Dispatch Client Message
Aug 19 11:00:22.640083 authd_tlv_build_list_from_struct username l =1 offset =56
Aug 19 11:00:22.640097 authd_tlv_build_list_from_struct profile l =1 offset =57
Aug 19 11:00:22.640111 authd_tlv_build_list_from_struct password l =1 offset =58
Aug 19 11:00:22.640125 authd_auth_aaa_msg_create: num_of_tlvs:0 tot_num_of_tlv:0
Aug 19 11:00:22.640136 authd_auth_aaa_msg_create username:() profile:()
Aug 19 11:00:22.640148 Process Request
Aug 19 11:00:22.640163 SEQ RecvClientMsg:jpppd-client session-id:53 Opcode:2113, Subcode:0 (ACCESS_REQUEST)
Aug 19 11:00:22.640178 Taking a client snapshot, session-id:53
Aug 19 11:00:22.640208 getSubscriberAaaOptionsName
Aug 19 11:00:22.640226 authd_build_req_attr_list_from_sdb_data: The request list is from sdb
Aug 19 11:00:22.640243 Taking a client snapshot, session-id:53
Aug 19 11:00:22.640259 createSubscriberSession UserName (test@test.com) for session-id:53 from SDB
Aug 19 11:00:22.640287 Creating SubscriberASTEntry for session-id:53, session name:test@test.com
Aug 19 11:00:22.640311 fillSessionDBAttributes: session-id:53, ifdName: ge-2/2/5
Aug 19 11:00:22.640328 Found Bbe Flow Id 84 in SDB for session-id:53
Aug 19 11:00:22.640342 No access-profile found in the SDB for session-id:53
Aug 19 11:00:22.640355 Bbe Domain Id found in the SDB for session-id:53
Aug 19 11:00:22.640368 PhyIfdName found in the SDB for session-id:53
Aug 19 11:00:22.640382 InterfaceName found in the SDB for session-id:53
Aug 19 11:00:22.640397 aaa ls:default aaa ri:default; target ls:default target ri: default
Aug 19 11:00:22.640410 setTargetRoutingContextdefault:default
Aug 19 11:00:22.640423 Querying the access-profile for user:test@test.com on LR/RI:default:default
Aug 19 11:00:22.640435 Access Profile Name from context is <AAA>
Aug 19 11:00:22.640453 authd_build_radius_nas_port_and_id: nas-port-id-format order is disabled
Aug 19 11:00:22.640463 authd_build_req_attr_list_from_sdb_data: The request list is from aaa_msg
Aug 19 11:00:22.640475 Taking a client snapshot, session-id:53
Aug 19 11:00:22.640488 authd_get_auth_request_nas_attr: No Agent Circuit ID attribute from SDB
Aug 19 11:00:22.640498 authd_get_auth_request_nas_attr: No Agent Remote ID attribute from SDB
Aug 19 11:00:22.640507 authd_get_auth_request_nas_attr: No interface SVLAN attribute from SDB
Aug 19 11:00:22.640517 authd_get_auth_request_nas_attr: No interface ATM VPI attribute from SDB
Aug 19 11:00:22.640526 authd_get_auth_request_nas_attr: No interface ATM VCI attribute from SDB
Aug 19 11:00:22.640535 authd_get_auth_request_nas_attr: Recovered from SDB - VPI:-1 VCI:-1 NasPortType:15
Aug 19 11:00:22.640560 authd_get_interface_nas_port_options Interface Radius-Options for Interface ge-2/2/5 not found
Aug 19 11:00:22.640577 Taking a client snapshot, session-id:53
Aug 19 11:00:22.640612 Taking a client snapshot, session-id:53
Aug 19 11:00:22.640625 authd_build_radius_nas_port_and_id: NASPortID = ge-2/2/5.100:100, NASPort = 21400064, CallingStationID =
Aug 19 11:00:22.640651 Finding a client snapshot session-id:53
Aug 19 11:00:22.640705 Setting multi-acct-session-id to 0
Aug 19 11:00:22.640719 setAccountingInfo: AAA
Aug 19 11:00:22.640732 setAccountingInfo: service accounting order 0
Aug 19 11:00:22.640744 updateCoaDynamicVariableValidation coaValidation: 0
Aug 19 11:00:22.640760 updateDynamicProfile: session-id:53, old dynamic profile empty, new dynamic profile PPPOE$$01
Aug 19 11:00:22.640775 JSRC: NOT calling jsrc restore function: - notify off - jsrc id empty
Aug 19 11:00:22.640787 Bundle session id not found, setting to NULL
Aug 19 11:00:22.640798 multi-acct-session-id set to 0
Aug 19 11:00:22.640810 access profile: AAA
Aug 19 11:00:22.640822 On-demand IP address set to 0
Aug 19 11:00:22.640836 SLimit: getEligibleProfile: session-limit is ON access-profile:AAA session-id:53
Aug 19 11:00:22.640850 SLimit: processPreLogin: limit crossed for username:test@test.com access-profile:AAA session-id:53
Aug 19 11:00:22.640863 Begin to logout Subscriber
Aug 19 11:00:22.640876 subscriberLogoutV4 session-id:53
Aug 19 11:00:22.640887 subscriberLogoutV6 session-id:53
Aug 19 11:00:22.640905 UserAccess:test@test.com session-id:53 state:log-out ge-2/2/5.100:100 reason: null null
Aug 19 11:00:22.640930 findSession AST-Table couldn't find the session-id:53
Aug 19 11:00:22.640945 ../../../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_astable.cc:5160 Failed to create ASTEntry for the session-id:53
Aug 19 11:00:22.640955 processRequestCreation/Lookup of Subscriber AST-Entry failed
Aug 19 11:00:22.640967 SEQ SendClientMsg:jpppd-client session-id:53 reply-code=4 (INTERNAL ERROR), result-subopcode=0 (ACCESS_REQUEST), cookie=168 ex_cookie=0x8f rply_len=28, num_tlv_blocks=0
Aug 19 11:00:22.640986 authd_auth_aaa_msg_destruct auth_aaa_msg: 0x220e0d8
Aug 19 11:00:22.640999 findSession AST-Table couldn't find the session-id:53
Aug 19 11:00:22.740074 Process/Dispatch Client Message
Aug 19 11:00:22.740098 New Process/Dispatch Client Message
Aug 19 11:00:22.740119 authd_auth_aaa_msg_create: num_of_tlvs:2 tot_num_of_tlv:2
Aug 19 11:00:22.740130 authd_auth_aaa_msg_create username:() profile:()
Aug 19 11:00:22.740141 Process Request
Aug 19 11:00:22.740156 SEQ RecvClientMsg:jpppd-client session-id:53 Opcode:3, Subcode:15 (SESSION_LOGOUT)

Note: Enabling this feature does not tear down already existing subscriber sessions even if the number of sessions with the same username and access-profile has already exceeded the configured session-limit value.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search