Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] Subscribers should not get connected in case of missing or wrong address pool name

0

0

Article ID: KB36462 KB Last Updated: 16 Feb 2021Version: 1.0
Summary:

PPPoE subscribers should not get connected in case of missing or wrong address pool name via radius attribute(Framed-Pool). This requirement eases the identification of any missing/wrong address-pool entry in radius user database,

Address allocation consideration via pool-name for PPPoE subscribers:
  • AAA will provide per user address-pool name via attribute ( Framed-Pool = "DSL-pool" ) to assign IPv4 to the PPPoE subscriber.
  • All valid Address-pools should be configured as Global Address Pool. ( access > address-pool name > address low x.x.x.x/x )
  • Subscriber should not get connected in case of wrong/no Address-pool name attribute from AAA. 
Notes:
  1. The default behavior of MX is to allocate IPv4 address from first available address pool from address-assignment pool (instance specific) or from global address pool for missing/wrong address-pool name. 
  2. For address-allocation, radius/AAA provided (via 'Framed-Pool' attribute) pool name is preferred over the default pool name configured under 'access > domain > map' by default.
Solution:

To achieve this, a default address pool ‘private200’ is created. In this address pool, there is no single IPv4 address available to allocate. For example, if no valid address pool name provided from AAA, then default address pool ‘private200’ will be used (via domain map default config) i.e. no IPv4 assignment to CPE, causing the PPPoE session to fail.

For wrong address pool name, provide via AAA attribute the first configured address pool under ’access > address-assignment > ...’ will be used by default i.e. ‘private100’. So in a similar way as in the previous case, no IP will be allocated from ‘private100’ pool and PPPoE session will fail to complete.

Topology:

IPv4 PPPoE subscriber <----> ([vlan 3320] ge-0/0/2) MX (ge-0/0/0) <----> Radius Server(192.168.40.26)

Radius Server(@192.168.40.26) is reachable via global routing instance inet.0 table.

Configuration:

IPv4 Address Pool & domain map configuration:

access {

    address-assignment {           ## Configured to deny address allocation(no/wrong Pool-name)

        pool private100 {                        ## Address Pool-name 

            family inet {

                network 192.168.100.0/24;        ## subnet from where /32 address will be allocated

                range private {                  ## available IP range for sub. address allocation

                    low 192.168.100.0;     

                    high 192.168.100.0;

                }

                excluded-address 192.168.100.0;  ## Exclude only available address in this pool

            }

        }

        pool private200 {            ## This is configured as default address pool(no available IP)

            family inet {

                network 192.168.200.0/24;

                range private {

                    low 192.168.200.0;

                    high 192.168.200.0;

                }

                excluded-address 192.168.200.0;

            }

        }

    }

    domain {                   ## To map domain-id with access-profile, pool, dynamic-profile

        map default {          ## Default domain map, matches all/domain-id’s which are not configured

            access-profile ACCESS-FTTH;

            address-pool private200;

            dynamic-profile PPPoE;

        }

        delimiter "@";         ## Delimiter character to identify start of domain-id 

    }

}

Other dynamic-profile & access Configuration:

dynamic-profiles {                                  
    PPPoE {                                        
        routing-instances {                         ## Enables PPPoE/LAC subscribers inside VRF
            “$junos-routing-instance” {
                interface “$junos-interface-name” {
                    any;
                }
            }
        }
        interfaces {
            pp0 {
                unit “$junos-interface-unit” {
                    actual-transit-statistics;           
                    ppp-options {
                        chap;                       
                        pap;                        
                        mtu 1492;                   ## PPP mtu to be set during authentication
                    }
                    pppoe-options {
                        underlying-interface “$junos-underlying-interface”;
                        server;                     ## Enables to accept PPPoE/LAC connection
                    }
                    family inet {
                        unnumbered-address “$junos-loopback-interface”;    
                    }
                }
            }
        }
    }
}
access {

    address-pool DSL-pool {                ## Global-Address Pools for AAA provided pool-name

        address-range low 10.200.200.50 high 10.200.200.100;

    }

    profile ACCESS-FTTH {                          ## Access-profile name
        accounting-order radius;    
        authentication-order radius;
        radius {
            authentication-server 192.168.40.26;       
            options {
                accounting-session-id-format description;   
                client-authentication-algorithm direct;     
            }
        }
        radius-server {
            192.168.40.26 {
                port 1812;                         ## Radius Authentication port number
                accounting-port 1813;              ## Radius Accounting port number
                dynamic-request-port 3799;         ## Radius CoA/dynamic-request port number
                secret "$ABC123";   ## SECRET-DATA
                source-address 192.168.40.6;       ## Source IP to be used for radius messages
            }
        }
    }
    domain {                              ## Map domain-id with access-profile, pool, dynamic-profile. 
        map default {                     ## Default domain map, matches all/no domain-id
            access-profile ACCESS-FTTH;
            address-pool private200;
            dynamic-profile PPPoE;
        }
        delimiter "@";                    ## Delimiter character to identify start of domain-id 
    }
}
interfaces {
    ge-0/0/2 {
        hierarchical-scheduler maximum-hierarchy-levels 2;
        flexible-vlan-tagging;
        unit 3320 {                                ## Static unit no. for static VLAN subscriber int.
            encapsulation ppp-over-ether;
            vlan-id 3320;                          ## single stack(dot1q) static Vlan ID for incoming PPPoE
            pppoe-underlying-options {
                dynamic-profile PPPoE;
            }
        }
    }
}
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search