I've been working with Subscriber Management using DHCP and a FreeRadius server and have been quite successful. Of course, once my company heard that it is possible for customers to bring their public IP address with them to another location, I get to work on this matter 🙂
All relevant configuration is below. I feel I'm very close to the solution, but I just need the final 2%.
A) The MX80 is able to reach the FreeRadius server;
B) If I deactivate ppp-options { pap } and have a DHCP pool configured, then the client just gets an IP address from the pool. This is not what I want. I want to specify the IP address per customer.
C) Debugging the FreeRadius actions (freeradius -X) I can see that the user is authenticated successfully with given password. What do I need to send back to the Juniper? Framed-IP-Address I suppose, I use this for DHCP as well. The address just doesn't get bound to the dynamic pp0 interface.
DYNINTF-PPPOE-TEST {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
routing-options {
access {
route $junos-framed-route-ip-address-prefix {
next-hop "$junos-framed-route-nexthop";
preference 4;
}
}
access-internal {
route $junos-subscriber-ip-address {
qualified-next-hop "$junos-interface-name";
}
}
}
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 60;
family inet {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}
VLAN-PROFILE {
interfaces {
demux0 {
unit "$junos-interface-unit" {
proxy-arp;
vlan-id "$junos-vlan-id";
demux-options {
underlying-interface "$junos-interface-ifd-name";
}
family pppoe {
duplicate-protection;
dynamic-profile DYNINTF-PPPOE-TEST;
}
}
}
}
}
access-profile local;
interfaces {
ge-1/1/1 {
description "PPPoE test interface";
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile VLAN-PROFILE {
accept pppoe;
ranges {
any;
}
}
access-profile access-test-profile;
}
}
encapsulation flexible-ethernet-services;
}
lo0 {
unit 0 {
family inet {
address 10.120.120.1/32;
}
}
}
}
access {
radius-server {
xxxx {
secret ""; ## SECRET-DATA
source-address xxxx;
}
}
domain-name-server {
xxxx;
xxxx;
}
profile local {
accounting-order radius;
authentication-order radius;
radius {
authentication-server xxxx;
accounting-server xxxx;
}
radius-server {
xxxx {
secret ""; ## SECRET-DATA
source-address xxxx;
}
}
accounting {
order radius;
}
}
profile access-test-profile {
authentication-order radius;
radius {
authentication-server xxxx;
}
radius-server {
xxxx {
secret ""; ## SECRET-DATA
source-address xxxx;
}
}
}
Best Answer
You will need Framed-IP-Address for sure. According to the configuration which you are using I am not sure what other parameters you will need to configure.
In order to use PAP/CHAP authentication you have to configure Cleartext-Password in your freeradius.