Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Which radius attribute takes effect for IETF attribute 'filter-id'(11) and Juniper VSA Ingress-policy-name(26-10)?

0

0

Article ID: KB36894 KB Last Updated: 24 Sep 2021Version: 1.0
Summary:

This article explains which radius attribute will take effect for IETF attribute 'filter-id'(11) and Juniper VSA Ingress-policy-name(26-10) in different JUNOS versions.

Symptoms:

There are 2 attributes that have the same meaning for a JUNOS device:

  1. IETF attribute called 'Filter-id' (11)
  2.  Juniper VSA Ingress-policy-name (26-10)

Which attribute will take effect when both are returned from radius server individually or together?

Solution:

If "filter-id"(11) or Juniper VSA Ingress-policy-name(26-10) is returned from the RADIUS server individually, Junos will set the attribute value to IPv4 ingress filter.

Feb  4 23:51:00.058654 Radius result is CLIENT_REQ_STATUS_SUCCESS
Feb  4 23:51:00.058809 Parsing RADIUS message for session-id:3
Feb  4 23:51:00.058856 radius-access-accept: Filter-Id (Juniper-ERX-VSA) received: internet
Feb  4 23:51:00.058886 radius-access-accept: Egress-Policy-Name (Juniper-ERX-VSA) received: down512k
Feb  4 23:51:00.058905 Framework - module(radius) return: SUCCESS
Feb  4 23:51:00.058916 authd_advance_module_for_aaa_response_msg: result:2
Feb  4 23:51:00.059005 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-input-filter, len:8, value: internet, encode 0
Feb  4 23:51:00.059028 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-output-filter, len:8, value: down512k, encode 0
 
Feb  4 23:51:00.255340 radius-acct-start: Acct-Authentic added: 1
Feb  4 23:51:00.255361 radius-acct-start: DHCP-MAC-Address (Juniper-ERX-VSA) added: abcd.0000.0001
Feb  4 23:51:00.255372 radius-acct-start: Egress-Policy-Name (Juniper-ERX-VSA) added: down512k
Feb  4 23:51:00.255388 radius-acct-start: Framed-IP-Address added: 100.0.0.102
Feb  4 23:51:00.255401 radius-acct-start: Framed-IP-Netmask added: 255.255.255.255
Feb  4 23:51:00.255412 radius-acct-start: Ingress-Policy-Name (Juniper-ERX-VSA) added: internet
Feb  4 23:51:00.255427 radius-acct-start: NAS-Identifier added: R2_re
Feb  4 23:51:00.255440 radius-acct-start: NAS-Port added: 00 00 0f ff
Feb  4 23:51:00.255454 radius-acct-start: NAS-Port-Id added: -0/0/0.0
Feb  4 23:51:00.255466 radius-acct-start: NAS-Port-Type added: 15
Feb  4 23:51:00.255483 radius-acct-start: Virtual-Router (Juniper-ERX-VSA) added: default:default
Feb  4 23:51:00.255500 radius-acct-start: PPPoE-Description (Juniper-ERX-VSA) added: pppoe ab:cd:00:00:00:01

Before JunOS 15.1, if both Filter-id and ingress-policy-name are returned from RADIUS server, ingress-policy-name will take effect.

Feb  4 23:55:13.516399 Parsing RADIUS message for session-id:4
Feb  4 23:55:13.516460 radius-access-accept: Filter-Id (Juniper-ERX-VSA) received: internet
Feb  4 23:55:13.516495 radius-access-accept: Ingress-Policy-Name (Juniper-ERX-VSA) received: up512k 
Feb  4 23:55:13.516510 radius-access-accept: Egress-Policy-Name (Juniper-ERX-VSA) received: down512k
Feb  4 23:55:13.516544 Framework - module(radius) return: SUCCESS
Feb  4 23:55:13.516557 authd_advance_module_for_aaa_response_msg: result:2
Feb  4 23:55:13.516640 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-input-filter, len:8, value: internet, encode 0
Feb  4 23:55:13.516655 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-input-filter, len:6, value: up512k, encode 0
Feb  4 23:55:13.516672 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-output-filter, len:8, value: down512k, encode 0
 
Feb  4 23:55:13.609438 radius-acct-start: Acct-Status-Type added: 1
Feb  4 23:55:13.609447 radius-acct-start: Acct-Session-Id added: 4
Feb  4 23:55:13.609466 radius-acct-start: Event-Timestamp added: 2021-02-04 23:55:13
Feb  4 23:55:13.609479 radius-acct-start: Acct-Delay-Time added: 0
Feb  4 23:55:13.609494 radius-acct-start: Service-Type added: 2
Feb  4 23:55:13.609503 radius-acct-start: Framed-Protocol added: 1
Feb  4 23:55:13.609527 storeFilterNameList failed for subscriber session-id:4 result = -7
Feb  4 23:55:13.609535 clearFilterNameList for subscriber session-id:4
Feb  4 23:55:13.609566 radius-acct-start: Acct-Authentic added: 1
Feb  4 23:55:13.609581 radius-acct-start: DHCP-MAC-Address (Juniper-ERX-VSA) added: abcd.0000.0001
Feb  4 23:55:13.609589 radius-acct-start: Egress-Policy-Name (Juniper-ERX-VSA) added: down512k
Feb  4 23:55:13.609600 radius-acct-start: Framed-IP-Address added: 100.0.0.103
Feb  4 23:55:13.609610 radius-acct-start: Framed-IP-Netmask added: 255.255.255.255
Feb  4 23:55:13.609619 radius-acct-start: Ingress-Policy-Name (Juniper-ERX-VSA) added: up512k 
Feb  4 23:55:13.609630 radius-acct-start: NAS-Identifier added: R2_re
Feb  4 23:55:13.609640 radius-acct-start: NAS-Port added: 00 00 0f ff
Feb  4 23:55:13.609648 radius-acct-start: NAS-Port-Id added: -0/0/0.0
Feb  4 23:55:13.609656 radius-acct-start: NAS-Port-Type added: 15
Feb  4 23:55:13.609668 radius-acct-start: Virtual-Router (Juniper-ERX-VSA) added: default:default
Feb  4 23:55:13.609679 radius-acct-start: PPPoE-Description (Juniper-ERX-VSA) added: pppoe ab:cd:00:00:00:01

After JunOS 15.1,  the standard attribute Filter-id will take effect and set IPv4 ingress filter.

Feb  5 00:03:25.646908 Radius result is CLIENT_REQ_STATUS_SUCCESS
Feb  5 00:03:25.647024 Parsing RADIUS message for session-id:5
Feb  5 00:03:25.647075 radius-access-accept: Egress-Policy-Name (Juniper-ERX-VSA) received: down512k
Feb  5 00:03:25.647180 radius-access-accept: Ingress-Policy-Name (Juniper-ERX-VSA) received: up512k 
Feb  5 00:03:25.647989 radius-access-accept: Filter-Id (Juniper-ERX-VSA) received: internet 
Feb  5 00:03:25.648069 Framework - module(radius) return: SUCCESS
Feb  5 00:03:25.648081 authd_advance_module_for_aaa_response_msg: result:2
Feb  5 00:03:25.648094 Taking a client snapshot, session-id:5
Feb  5 00:03:25.648119 Taking a client snapshot, session-id:5
Feb  5 00:03:25.648182 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-output-filter, len:8, value: down512k, encode 0
Feb  5 00:03:25.648211 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-input-filter, len:8, value: internet, encode 0
 
Feb  5 00:03:25.738710 radius-acct-start: Acct-Status-Type added: 1
Feb  5 00:03:25.738719 radius-acct-start: Acct-Session-Id added: 5
Feb  5 00:03:25.738735 radius-acct-start: Event-Timestamp added: 2021-02-05 00:03:25
Feb  5 00:03:25.738745 Taking a client snapshot, session-id:5
Feb  5 00:03:25.738760 radius-acct-start: Acct-Delay-Time added: 0
Feb  5 00:03:25.738773 radius-acct-start: Service-Type added: 2
Feb  5 00:03:25.738783 radius-acct-start: Framed-Protocol added: 1
Feb  5 00:03:25.738794 Finding a client snapshot session-id:5
Feb  5 00:03:25.738862 storeFilterNameList failed for subscriber session-id:5 result = -7
Feb  5 00:03:25.738875 clearFilterNameList for subscriber session-id:5
Feb  5 00:03:25.738908 radius-acct-start: Acct-Authentic added: 1
Feb  5 00:03:25.738942 radius-acct-start: DHCP-MAC-Address (Juniper-ERX-VSA) added: abcd.0000.0001
Feb  5 00:03:25.738957 radius-acct-start: Egress-Policy-Name (Juniper-ERX-VSA) added: down512k
Feb  5 00:03:25.738971 radius-acct-start: Framed-IP-Address added: 100.0.0.104
Feb  5 00:03:25.738983 radius-acct-start: Framed-IP-Netmask added: 255.255.255.255
Feb  5 00:03:25.738992 radius-acct-start: Ingress-Policy-Name (Juniper-ERX-VSA) added: internet 
Feb  5 00:03:25.739006 radius-acct-start: NAS-Identifier added: R1_re
Feb  5 00:03:25.739018 radius-acct-start: NAS-Port added: 00 00 0f ff
Feb  5 00:03:25.739028 radius-acct-start: NAS-Port-Id added: -0/0/0.0
Feb  5 00:03:25.739037 radius-acct-start: NAS-Port-Type added: 15
Feb  5 00:03:25.739053 radius-acct-start: Virtual-Router (Juniper-ERX-VSA) added: default:default
Feb  5 00:03:25.739069 radius-acct-start: PPPoE-Description (Juniper-ERX-VSA) added: pppoe ab:cd:00:00:00:01
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search