Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR] Processing (COA/DM) Messages from Proxy Target

0

0

Article ID: KB36359 KB Last Updated: 22 Dec 2020Version: 1.0
Summary:

This article talks about proxy target configuration and also explains the workflow when a (CoA/DM) disconnect is issued from the proxy target.

 

Solution:

Consider a proxy setup as below:

NAS(10.212.15.98)-> Proxy Server (10.212.10.223)[standalone]-> Proxy Target(10.212.10.89)[Standalone]

Proxy Server Configuration

# more proxy.ini
;[Processing]
Suffix
[Configuration]
;RealmPrefix = /
RealmSuffix = @

[Realms]
abc

# more abc.pro
[Acct]
Enable = 1

[Targets]
radius-coa-proxy-target=1
[DynAuth]
IncludeDeviceModel = 1

# radius.ini
[DynAuthProxy]
Enable = 1
CheckReversePath = yes
ForwardMethod = session-table
[Logging]
LogLevel=2
TraceLevel=1

# dbclusterlocal.gen
[Configuration]
; enable IncludeDynAuth if dynamic authorization proxy is enabled
IncludeDynAuth = 1
# Dbc_mapping.xml
(changes to get the session details for these below attributes in SessionControlScript)
At the end of xml:
------
    <attributeMapping field="Sbr_NasClientName"     attribute="Funk-NAS-Identifier">
    </attributeMapping>
    <attributeMapping field="Sbr_NasDeviceModel"    attribute="Funk-Device-Model">
    </attributeMapping>
    <attributeMapping field="Sbr_ProxyState"        attribute="Funk-Proxy-State">
    </attributeMapping>
    <attributeMapping field="Sbr_ProxyRealm"        attribute="Funk-Realm-Name">
    </attributeMapping>
</dbcMapping>

Now let us see the SBR UI configuration that is needed:

  1. Create a RADIUS client with a valid name (name should be NAS name) and Description. Give the IP address as NASIPAddress.

  1. In RADIUS Client > Advanced Configuration, set the COA/DM port as 3799. Provide the COA shared secret and POD shared secret.

  1. Also, create the target proxy and give its IP address.

Proxy Target Configuration

Add “NAS-IP-Address” and “NAS-Identifier” as the required attributes for the "- Standard Radius -” device model as shown below:

deviceModels.xml:
<controlledDeviceModels>
    <controlledDeviceModel id="- Standard Radius -" vendor="juniper" model="Standard RADIUS DM Support" dictionary="radius">
        <radiusPorts>
            <!--specifies default port, can be changed per device -->
            <radiusPort name="RFC3576" description="Dynamic Authorization via RADIUS" port="3799"/>
        </radiusPorts>
        <actions>
            <action name="query">
                <localSessionQuery description="return local session data"/>
            </action>
            <action name="disconnect">
                <radiusRequest description="RFC 3576 Disconnect Message" code="DM" portName="RFC3576" dictionary="radius">
                    <attributes>
                        <requiredAttribute name="Acct-Session-Id"/>
                        <requiredAttribute name="NAS-IP-Address"/>
                        <requiredAttribute name="NAS-Identifier"/>
                    </attributes>
                    <onSuccess>
                        <!--this device does not send Stop when we knock someone off -->
                        <sessionStop description="Simulated Session Stop"/>
                    </onSuccess>
                    <onFailure>
                        <!--assume bad session record -->
                        <sessionStop description="Cleaning Session Database"/>
                    </onFailure>
                    <onTimeout/>
                </radiusRequest>
            </action>
        </actions>
    </controlledDeviceModel>
  1. Create a RADIUS client that is the same as that configured in the Proxy Server, except the IP Address, which should be the Proxy Server IP Address.

  1. In RADIUS Client > Advanced Configuration, set the COA/DM port as 3799. Provide the COA shared secret and POD shared secret as that given for the Proxy Server.

  1. Execute a Proxy Disconnect from target:

After the proxy disconnect from target, observe that the session gets deleted both in the Proxy Target and Proxy Server machine.

Find the packet flow as below:

Packet flow

     NAS                                               Proxy                                   Proxy target

     |     Accounting request                            |           Proxy request                     |
     |    ----------------------------->                 |  ---------------------------------->        |
     |     Accounting response                           |           Proxy response                    |
     |    <-------------------------------               |  <----------------------------------        |
     |                                                   |                                             |
     |                                                   |           Proxy Disconnect request          |
     |                                                   |     < -------------------------------       |
     |              UDP Dyn Auth request                 |                                             |                             
     |      <--------------------------------            |                                             |
     |              UDP Dyn Auth response                |                                             |                             
     |     -------------------------------->             |                                             |
     |                                                   |           Proxy Disconnect ACK              |
     |                                                   |     --------------------------------->      |

Limitation

Note that SBR does not support a disconnect from more than one NAS in a proxy scenario.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search