SBR change of authorization (coa) and the MX series
Junos® Networking Technologies Day One: SBR Change of Authorization (CoA) and the MX Series Build a MX subscriber management solution along with RADIUS authentication, authorization, accounting, and Change of Authorization (CoA) using Juniper’s Steel-Belted Radius By John Rolfe DAY ONE: SBR Change of Authorization (CoA) and the MX Series This book describes the steps needed to build a MX subscriber management solution along with RADIUS authentication, authorization, accounting, and change of authorization using Juniper’s Steel Belted Radius (SBR) The author walks you through the process, step-by-step, setting up a dynamic profile on the MX, setting firewall/ policers to the profile via RADIUS, and then changing those values via RADIUS CoA Then John Rolfe guides you through the required XML envelopes, setting up a web server, and implementing a self-service portal to invoke the CoA, utilizing an HTML Web page with a PHP script built on XAMPP (from Apache Friends), which includes the Apache web server, PHP, Perl, and other components Day One: SBR Change of Authorization (CoA) and the MX Series is meant for the lab, for a day exploring the basic tenets of software defined networks (SDN) by using the MX Series, Junos, and SBR to create a CoA solution Juniper CoA solutions can enable a number of network use cases, from automating service provisioning, to credit card authorization portals, to self-service portals for network and subscriber provisioning Learn the basics here, in a day, and you’ll be able to explore these and other use cases for your own network needs IT’S DAY ONE AND YOU HAVE A JOB TO DO, SO LEARN HOW TO: n Handle DHCP subscribers using MX DHCP local server n Configure IP demux on the subscriber interface n Create QoS configuration templates for deployment n Build dynamic profiles using the firewall filter/policer for QOS n Use SBR Carrier using Session Control Module (SCM) for CoA n Utilize SBR Carrier XML over HTTPS API n Perform PHP scripting to implement the HTTPS XML post n Build a basic Apache web server page Juniper Networks Books are singularly focused on network productivity and efficiency Peruse the complete library at www.juniper.net/books Published by Juniper Networks Books ISBN 978-1936779635 51200 07100164 781936 779635 Junos Networking Technologies ® Day One: SBR Change of Authorization (CoA) and the MX Series By John Rolfe Chapter : MX Dynamic Subscriber Management Chapter : Setting Up the MX 15 Chapter : Adding SBR to the Configuration 27 Chapter 4: Basic CoA Setup Using SBR GUI 51 Chapter 5: Simple Web Portal 65 iv © 2013 by Juniper Networks, Inc All rights reserved Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc in the United States and other countries Junose is a trademark of Juniper Networks, Inc All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners Juniper Networks assumes no responsibility for any inaccuracies in this document Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S Patent Nos 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785 Published by Juniper Networks Books Author: John Rolfe Technical Reviewers: Hartmut Schroeder, Wayne Brassem, Jon Canchola, and Devasena Morrissette Editor in Chief: Patrick Ames Copyeditor and Proofer: Nancy Koerbel J-Net Community Manager: Julie Wider About the Author John Rolfe has over 30 years of experience in the networking industry He is presently a consulting system engineer in the Technologies and Solution group at Juniper Networks, focusing on identity and policy management as well as network management systems Prior to Juniper Networks, he worked in the VOIP industry with session border controllers at NexTone Prior to that, he spent seven years in the semiconductor industry, primarily in Network Processing silicon with Agere Author’s Acknowledgments Thank you to everyone involved in making this book, especially my family ISBN: 978-1-936779-63-5 (print) Printed in the USA by Vervante Corporation ISBN: 978-1-936779-64-2 (ebook) Version History: v1 March 2013 10 #7100164-en This book is available in a variety of formats at: http:// www.juniper.net/dayone Send your suggestions, comments, and critiques by email to dayone@juniper.net Welcome to Day One This book is part of a growing library of Day One books, produced and published by Juniper Networks Books Day One books were conceived to help you get just the information that you need on day one The series covers Junos OS and Juniper Networks networking essentials with straightforward explanations, step-by-step instructions, and practical examples that are easy to follow The Day One library also includes a slightly larger and longer suite of This Week books, whose concepts and test bed examples are more similar to a weeklong seminar You can obtain either series, in multiple formats: Download a free PDF edition at http://www.juniper.net/dayone Get the ebook edition for iPhones and iPads from the iTunes Store Search for Juniper Networks Books Get the ebook edition for any device that runs the Kindle app (Android, Kindle, iPad, PC, or Mac) by opening your device's Kindle app and going to the Kindle Store Search for Juniper Networks Books Purchase the paper edition at either Vervante Corporation (www vervante.com) or Amazon (amazon.com) for between $12-$28, depending on page length Note that Nook, iPad, and various Android apps can also view PDF files If your device or ebook app uses epub files, but isn't an Apple product, open iTunes and download the epub file from the iTunes Store You can now drag and drop the file out of iTunes onto your desktop and sync with your epub device v vi What You Need to Know Before Reading This Book Before reading this book, you should be familiar with the basic administrative functions of the Junos operating system, including the ability to work with operational commands and to read, understand, and change Junos configurations There are several books in the Day One library on exploring and learning Junos, at www.juniper.net/ dayone This book also makes a few assumptions about you, the reader: You are versed in authentication principles You have operational experience with the MX Series You have basic understanding of Linux and editing text files in Linux You have a good understanding of Junos and know enough about XML to, well, get by After Reading This Book, You’ll Be Able To: Handle DHCP subscribers using MX DHCP local server Configure IP demux on the subscriber interface Create QoS configuration templates for deployment Build dynamic profiles using the firewall filter/policer for QOS Use SBR Carrier using Session Control Module (SCM) for CoA Utilize SBR Carrier XML over HTTPS API Perform PHP scripting to implement the HTTPS XML post Build a basic Apache web server page About Change of Authorization This book describes the steps needed to deploy an MX subscriber management solution along with RADIUS authentication, authorization, accounting, and Change of Authorization using Juniper’s Steel Belted Radius (SBR) The book walks you through a basic dynamic profile on the MX step-by-step, setting firewall/policers to the profile via RADIUS, and then changing those values via RADIUS CoA The final chapter guides you through the required XML envelopes, setting up a web server, and implementing a self-service portal to invoke the CoA It utilizes an HTML Web page with a PHP script built on XAMPP (from Apache Friends), which includes the Apache web server along with PHP, Perl, and other components This Juniper Networks solution enables a number of network use cases, including: Automating service provisioning Self service portal for network and subscriber provisioning Captive portal services for delinquent accounts/terms and conditions Service provider Wi-Fi captive portal Credit card authenticating portals Content sources optimizing session (for example, pay per view video) The configuration for all of these use cases goes beyond the scope of this book, so let’s concentrate our efforts on the self-service portal and get it done in a day You can then explore the use cases that interest you or your network MORE? For VLAN models please see Day One: Dynamic Subscriber Management at http://www.juniper.net/dayone This is also a good resource for Class of Services issues in Dynamic Subscriber Management vii viii Chapter MX Dynamic Subscriber Management The Lab Setup 10 The Basic Use Case and Flow 11 Change of Authorization (CoA) 13 10 Day One: SBR Change of Authorization (CoA) and the MX Series This chapter introduces you to RADIUS-based dynamic subscriber management on the MX series, along with the concepts of Junos variables ($junos) in the MX and how those concepts relate to RADIUS attributes This chapter may seem like a recap of another Day One book - Day One: Dynamic Subscriber Management – but it includes an introduction to the concept of in-session changes (Change of Authorization, or CoA) and some of the use cases associated with it In this book you’ll see how Juniper’s subscriber management solution (the MX Series and Steel Belted RADIUS) can be controlled by external web pages or systems invoking dynamic changes on the subscriber session While this book focuses on dynamic changes on the firewall filter, any RADIUS controlled attribute could be used, depending on your use case Which is kind of cool The remainder of the book then goes through the steps necessary to configure, test, and troubleshoot the required MX, SBR, and Apache systems to implement a self-service portal There’s a logical progression to the setup with the ultimate goal of portal-based CoA The concepts you learn should allow you to execute proof of concept and lab testing scenarios for yourself, as well as getting a hands-on understanding of what can be done to the subscriber’s connection parameters via external systems The Lab Setup Figure 1.1 shows the basic lab configuration used for this book The leftmost device is simply a DHCP client, which happens to be a Windows PC with an Ethernet connection to the MX This connection emulates our subscriber Also connected to the MX is another PC, running the Apache server software, that is also our SSH/Telnet client to the other systems The SBR system in Figure 1.1 is a Centos Linux machine running SBR Carrier with the Session Control Module license (SCM) NOTE The SBR server can be installed in a Centos Linux VM on the same PC running Apache – place it in bridged mode so it has its own IP address NOTE SBR needs to run on Red Hat Enterprise Server in production networks, but Centos is binary compatible and freely available SBR also runs in a SPARC Solaris environment The SCM license allows SBR to implement CoA to the MX, as well as being the authentication and authorization server for the subscriber on 66 Day One: SBR Change of Authorization (CoA) and the MX Series This chapter introduces you to how to script a simple self-service portal in HTML and PHP that allows the subscriber to change the firewall filter on their connection using the XML over HTTPS API within SBR If you need to expand its usage, any COA attributes, such as scheduler maps, firewall filters, IGMP, and IPv6, can be changed The list of supported vendor-specific attributes for use with CoA on the MX are in Table 5.1 Table 5.1 Supported Juniper Networks Vendor-specific Attributes (VSAs) for Use with CoA VSA Attribute Ingress-Policy-Name Input policy name to apply to client interface Egress-Policy-Name Output policy name to apply to client interface IGMP-Enable Enable or disable IGMP on a client interface LI-Action Traffic mirroring action Med-Dev- Handle Link to which traffic mirroring is applied Service-Statistics Enable or disable statistics for the service IGMP-Access-Group-Name Access list to use for the group filter MP-Access-Source-Group-Name Access list to use for the source-group filter MLD-Access-Group-Name Access list to use for the group filter MLD-Access-Source-Group-Name Access list to use for the source-group filter MLD-Version MLD protocol version IGMP-Version IGMP protocol version IGMP-Immediate-Leave IGMP immediate leave MLD-Immediate-Leave MLD immediate leave IPv6-Ingress-Policy-Name Input policy to apply to a user IPv6 interface IPv6-Egress-Policy-Name Output policy to apply to a user IPv6 interface CoS-Shaping-Pmt-Type CoS traffic shaping parameter type Interface-Set-Name Interface set to apply to the dynamic profile Service-Interim-Acct-Interval Amount of time between accounting interims for this service CoS-Scheduler-Pmt-Type CoS scheduler parameter types In this book, the focus is on changing the egress firewall filter, however, if you examine the attribute list in Table 5.1, it’s clear that many other actions can be performed For the use case for this book, the subscriber connects to the portal and the portal uses the IP address of the subscriber as the search criteria for the session in SBR The portal has a simple radio button selection for M, 5M, or 10M service, as defined in deviceModels.xml (Chapter 4) Selecting the radio button will issue the XML request to SBR using the API As you can see, the web portal is very simple: Chapter 5: Simple Web Portal Loading XAMPP and the Startup of Apache on Windows For this example, you will be loading XAMPP, from Apache Friends, which is a packaging of the Apache web server, along with Perl, PHP, and MySQL, and other useful tools like Filezilla This is sometimes called a LAMP server, (Linux, Apache, MySQL, and PHP), but in this case only the web server and PHP are used Using your favorite web browser, surf to http://www.apachefriends.org/en/ xampp.html and download the distribution for your system Windows is being used in this book with the 1.8.1 release of XAMPP (highly recommended since no modifications in the configuration are needed) Earlier versions of XAMPP not enable CURL (Client URL) by default, which is used to make the call to SBR Follow the Wizard setup and you should see the following: 67 68 Day One: SBR Change of Authorization (CoA) and the MX Series After the installation is complete, XAMPP comes with a control panel that must be started The control panel allows quick and easy restarting of the Apache service To test Apache quickly, click on Start, and then using your browser, type localhost in the Navigation Toolbar, and the XAMPP startup window should appear NOTE If using a Windows machine, sometimes the Windows Web Server IIS is enabled, preventing Apache from starting Only one process can use port 80 at a time and the IIS needs to be disabled to allow Apache to start Chapter 5: Simple Web Portal NOTE Firewalls can also block Apache – if there’s issues starting or communicating with Apache, you might want to check here MORE? If you still have issues getting Apache to run, searching for your problem in the XAMPP FAQ often can resolve it: http://www.apachefriends.org/en/faq-xampp.html Scripting the Self Service Portal Our self service portal web page shown previously is shown here in HTML and PHP, and called order.php: order.php file Self Service Portal Please select your NEW service Basic 2M Service Premium 5M Service Ultimate 10M Service XAMPP, by default, is installed on a Windows machine directly on the c: drive in c:\xampp Within the xampp directory is a directory called htdocs, and htdocs is the directory that Apache looks in for web pages to be viewed by a browser Go inside htdocs, create another directory called 69 70 Day One: SBR Change of Authorization (CoA) and the MX Series xampp, and place the order.php file in there, so: c:\xampp\htdocs\xampp\ order.php The url for this web page, becomes http:///xampp/ order.php since apache defaults to htdocs To test on the local machine, try http://localhost/xampp/order.php To make order.php work, a few lines in the script may need explanation: This line requires a file named juniperlogo.jpg to be in \xampp\htdocs\ xampp\img Of course, any jpeg file works here, other logos, pictures of cats, or anything, just make sure the file name matches exactly $ip = $_SERVER['REMOTE_ADDR']; $hostaddress = gethostbyaddr($ip); The first line is used to set the $ip variable equal to the IP address of the client coming to the web page, and the second line is the host name set to $hostaddress, if available These are displayed on the web page using: print print print print ?> "Hello:\n"; "$ip\n"; "Also Known as:\n"; "$hostaddress\n"; Finally, the order.php file is just the web page, including the line: The curl code function $getfromssr is a simple HTTPS connect, with username and password, to the SBR host, and then POSTing the XML envelope selected by the if and elseif statements The XML envelopes contain the action name and the Framed-IP-Address of the client requesting it That’s all that’s required by the API in SBR To fulfill the action, SBR takes the Framed-IP-Address and searches the session table for the NAS-IP-Address along with the Acct-Session-ID corresponding to the Framed-IP-Address Testing the Portal Now that the HTML and PHP code are loaded onto the Apache server, the client PC should be able to connect to the self service portal web page Let’s go to http:///xampp/order.php 73 74 Day One: SBR Change of Authorization (CoA) and the MX Series That should bring up the main self-service portal: If you select the Ultimate 10M Service radio button and submit – the resulting page should be as follows: Chapter 5: Simple Web Portal The radiobutton.php script will print the selected radio button from the order.php page and also print in bold, Please Enjoy your new service Very cool SBR Logs for XML API When using the XML API, SBR logs will show a significant amount of information regarding the transaction – the log outputs from SBR have been broken up with the first piece of information being the connection and incoming XML envelope The POST, which is received at SBR, is shown in the raw request along with the root user authentication NOTE If using root is not an option— some installations have strict policies on root users,—you can use a different username You that by defining another administrator in the SBR admin GUI with superuser privileges, and then using that user’s credentials in the getfromssr routine: 12/06/2012 17:09:53.356 12/06/2012 17:09:53.356 12/06/2012 17:09:53.356 12/06/2012 17:09:53.356 reques| 12/06/2012 17:09:53.356 HTTP/1.1 Aut| 12/06/2012 17:09:53.356 Basi| 12/06/2012 17:09:53.356 cm9vdDpDYW1sYW| 12/06/2012 17:09:53.356 (2196): (2196): (2196): (2196): MCI notification in admin session; incoming session MDI notification in admin session; data is available admin interface incoming raw request (378 bytes): 000: 504f5354 202f7363 732f7265 71756573 |POST /scs/ (2196): 010: 742f2048 5454502f 312e310d 0a417574 |t/ (2196): 020: 686f7269 7a617469 6f6e3a20 42617369 |horization: (2196): 030: 6320636d 39766444 70445957 31735957 |c (2196): 040: 49784d6a 4d3d0d0a 486f7374 3a203130 |IxMjM= 75 76 Day One: SBR Change of Authorization (CoA) and the MX Series Host: 10| 12/06/2012 17:09:53.356 |.10.10.102:1813.| 12/06/2012 17:09:53.356 */* Co| 12/06/2012 17:09:53.356 Length: 19| 12/06/2012 17:09:53.356 Type:| 12/06/2012 17:09:53.356 application/x-w| 12/06/2012 17:09:53.356 urlencod| 12/06/2012 17:09:53.356 |ed | 12/06/2012 17:09:53.356 /> .| 12/06/2012 17:09:53.356 enab| 12/06/2012 17:09:53.356 name=| 12/06/2012 17:09:53.356 Addre| 12/06/2012 17:09:53.356 value='10.10| 12/06/2012 17:09:53.356 |.10.51'/>