SDX-300 Software
for Juniper Networks® Routing Platforms
Integration Guide
Release 6.0.x
Juniper Networks®, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 162-01048-00, Revision A00
Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen are
registered trademarks of Juniper Networks, Inc. in the United States and other countries.
This product includes the following software: Fontconfig, X FreeType library, X Render extension headers, and X Render extension library, copyright © 2001,
2003 Keith Packard.
Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the
name of Keith Packard not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Keith
Packard makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
KEITH PACKARD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS, IN NO EVENT SHALL KEITH PACKARD BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following are trademarks of Juniper Networks, Inc.: ERX, ESP, E-series, Instant Virtual Extranet, Internet Processor, J2300, J4300, J6300, J-Protect,
J-series, J-Web, JUNOS, JUNOScope, JUNOScript, JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160, M320, M-series, MMD, NetScreen-5GT,
NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400,
NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-SA 1000 Series,
NetScreen-SA 3000 Series, NetScreen-SA 5000 Series, NetScreen-SA Central Manager, NetScreen Secure Access, NetScreen-SM 3000, NetScreen-Security
Manager, NMC-RX, SDX, Stateful Signature, T320, T640, and T-series. All other trademarks, service marks, registered trademarks, or registered service
marks are the property of their respective owners. All specifications are subject to change without notice.
Products made or sold by Juniper Networks (including the ERX-310, ERX-705, ERX-710, ERX-1410, ERX-1440, M5, M7i, M10, M10i, M20, M40, M40e,
M160, M320, and T320 routers, T640 routing node, and the JUNOS, JUNOSe, and SDX-300 software) or components thereof might be covered by one or
more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650,
6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Copyright © 2005, Juniper Networks, Inc.
All rights reserved. Printed in USA.
SDX-300 Software for Juniper Networks® Routing Platforms Integration Guide, Release 6.0.x
Writing: Helen Shaw, Brian Wesley Simmons, Michael Taillon
Editing: Fran Mues
Illustration: Nathaniel Woodward
Cover Design: Edmonds Design
Revision History
24 February 2005—Revision 1
The information in this document is current as of the date listed in the revision history.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer or
otherwise revise this publication without notice.
Software License
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the
extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you
indicate that you understand and agree to be bound by those terms and conditions.
Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain
uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.
For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.
End User License Agreement
READ THIS END USER LICENSE AGREEMENT ("AGREEMENT") BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY
DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU
(AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND
BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE
SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are Juniper Networks, Inc. and its subsidiaries (collectively "Juniper"), and the person or organization that
originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software ("Customer") (collectively, the "Parties").
2. The Software. In this Agreement, "Software" means the program modules and features of the Juniper or Juniper-supplied software, and updates and
releases of such software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use the Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an
authorized Juniper reseller, unless the applicable Juniper documentation expressly permits installation on non-Juniper equipment.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees.
c. Other Juniper documentation for the Software (such as product purchase documents, documents accompanying the product, the Software user
manual(s), Juniper's website for the Software, or messages displayed by the Software) may specify limits to Customer's use of the Software. Such limits may
restrict use to a maximum number of seats, concurrent users, sessions, subscribers, nodes, or transactions, or require the purchase of separate licenses to
use particular features, functionalities, or capabilities, or provide temporal or geographical limits. Customer's use of the Software shall be subject to all such
limitations and purchase of all applicable licenses.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not:
(a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary
for backup purposes); (c) rent, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove any proprietary
notices, labels, or marks on or in any copy of the Software; (e) distribute any copy of the Software to any third party, including as may be embedded in
Juniper equipment sold in the secondhand market; (f) use any 'locked' or key-restricted feature, function, or capability without first purchasing the
applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, or capability is enabled without a key; (g) distribute any key for
the Software provided by Juniper to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer
from Juniper or an authorized Juniper reseller; (i) use the Software on non-Juniper equipment where the Juniper documentation does not expressly permit
installation on non-Juniper equipment; (j) use the Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase
from Juniper or an authorized Juniper reseller; or (k) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software.
7. Ownership. Juniper and Juniper's licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the
Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. If the Software is distributed on physical media (such as CD), Juniper warrants for 90 days
from delivery that the media on which the Software is delivered will be free of defects in material and workmanship under normal use. This limited
warranty extends only to the Customer. Except as may be expressly provided in separate documentation from Juniper, no other warranties apply to the
Software, and the Software is otherwise provided AS IS. Customer assumes all risks arising from use of the Software. Customer's sole remedy and Juniper's
entire liability under this limited warranty is that Juniper, at its option, will repair or replace the media containing the Software, or provide a refund,
provided that Customer makes a proper warranty claim to Juniper, in writing, within the warranty period. Nothing in this Agreement shall give rise to any
obligation to support the Software. Any such support shall be governed by a separate, written agreement. To the maximum extent permitted by law, Juniper
shall not be liable for any liability for lost profits, loss of data or costs or procurement of substitute goods or services, or for any special, indirect, or
consequential damages arising out of this Agreement, the Software, or any Juniper or Juniper-supplied software. In no event shall Juniper be liable for
damages arising from unauthorized or improper use of any Juniper or Juniper-supplied software.
EXCEPT AS EXPRESSLY PROVIDED HEREIN OR IN SEPARATE DOCUMENTATION PROVIDED FROM JUNIPER AND TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR
INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer's
possession or control.
10. Taxes. All license fees for the Software are exclusive of taxes, withholdings, duties, or levies (collectively "Taxes"). Customer shall be responsible for
paying Taxes arising from the purchase of the license, or importation or use of the Software.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to you may contain encryption or
other capabilities restricting your ability to export the Software without an export license.
12. Commercial Computer Software. The Software is "commercial computer software" and is provided with restricted rights. Use, duplication, or
disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4,
FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. For any
disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts
within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the
Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms
contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall
govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights
hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties
agree that such invalidity shall not affect the validity of the remainder of this Agreement.
If you have any questions about this agreement, contact Juniper Networks at the following address:
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Attn: Contracts Administrator
Table of Contents
About This Guide xi
Objectives ....................................................................................................... xi
Audience......................................................................................................... xi
Documentation Conventions.......................................................................... xii
Related Juniper Networks Documentation..................................................... xiii
Obtaining Documentation............................................................................. xiv
Documentation Feedback ............................................................................. xiv
Requesting Support....................................................................................... xiv
Part 1 Routers
Chapter 1 Integrating JUNOSe Routers 3
Overview ......................................................................................................... 3
Integration Tasks ............................................................................................. 3
Configuring the SAE to Manage JUNOSe Routers ....................................... 4
Configuring the JUNOSe Router to Interact with the SAE ........................... 4
Configuring the SNMP Server on the JUNOSe Router .......................... 4
Starting the SDX Client on the JUNOSe Router .................................... 5
Stopping the SDX Client on the JUNOSe Router .................................. 5
Adding JUNOSe Routers to the Directory ................................................... 5
Disabling Interactions Between the SAE and the JUNOSe Router ..................... 5
Monitoring Interactions Between the SAE and the JUNOSe Router................... 6
Troubleshooting ............................................................................................... 6
Chapter 2 Integrating JUNOS Routing Platforms 7
Overview ......................................................................................................... 7
Integration Tasks ............................................................................................. 8
Configuring the SAE to Manage JUNOS Routing Platforms.........................8
Configuring the JUNOS Routing Platforms to Interact with the SAE ........... 8
Configuring the JUNOS Routing Platform to Apply Changes It Receives from
the SAE ............................................................................................... 9
Adding JUNOS Routing Platforms to the Directory..................................... 9
Disabling Interactions Between the SAE and the JUNOS Routing Platform ..... 10
Monitoring Interactions Between the SAE and the JUNOS Routing Platform .. 10
Troubleshooting ............................................................................................. 11
Troubleshooting Problems with the SDX Software Process...................... 11
Troubleshooting Problems with Interfaces............................................... 11
Troubleshooting Problems with Services ................................................. 13
Deleting All Interface Sessions and Services ............................................ 16
Table of Contents ! v
SDX 6.0.x Integration Guide
Part 2 Directories
Chapter 3 Mapping Object Model to LDAP Schema 19
LDAP Overview..............................................................................................19
Mapping the Object Model to LDAP Schema .................................................. 20
LDAP Schema Files ........................................................................................ 20
Object Classes................................................................................................ 20
Object Class Tables.................................................................................. 21
Object Representing Folders.................................................................... 21
Subscriber Objects................................................................................... 21
Service Template Objects ........................................................................ 22
Subscription Profile Objects..................................................................... 22
Policy Objects.......................................................................................... 23
Network-Device Objects .......................................................................... 23
Workflow and OSM Schema Elements ....................................................23
Configuration and System Management .................................................. 23
Attribute Types ..............................................................................................24
Structure Rules............................................................................................... 24
Content Rules................................................................................................. 33
Content Rules Table................................................................................. 34
Name Forms .................................................................................................. 34
Chapter 4 Integrating Sun ONE Directory Server 35
Overview ....................................................................................................... 35
About the Sun ONE Add-On Package....................................................... 36
LDAP Directory Instance ................................................................... 36
uid-uniqueness Plug-in ...................................................................... 36
Password Storage Scheme ................................................................ 36
Schema Extension............................................................................. 36
Database Settings.............................................................................. 37
SDX Skeleton .................................................................................... 37
Access Control .................................................................................. 37
Loading Sample Database .................................................................37
Sun ONE Directory Server Tasks .................................................................... 37
Obtaining the Sun ONE Directory Server Software......................................... 38
Installing the UMCiDSa Add-On Package........................................................ 38
Configuring Sun ONE Directory Server Instance ............................................ 39
Starting, Stopping, and Restarting Sun ONE Directory Server ........................ 40
Chapter 5 Integrating the DirX Directory Server 41
Overview ....................................................................................................... 41
About the DirX Add-On Package.............................................................. 42
LDAP Directory Instance ................................................................... 42
Schema Extension and Database Settings ......................................... 42
Directory Tree Structure.................................................................... 42
Access Control .................................................................................. 42
SDX Skeleton .................................................................................... 43
Loading Sample Database .................................................................43
Obtaining the DirX Directory Server Software................................................ 43
Preparing to Install the DirX Directory Server ................................................ 43
Creating a New Directory User ................................................................ 43
Installing the DirX Directory Server................................................................ 44
vi ! Table of Contents
Table of Contents
Installing the UMCdirxa Add-On Package ....................................................... 45
Configuring the DirX Directory Server............................................................ 46
Uninstalling DirX Directory Server .................................................................46
Starting and Stopping the DirX Directory Server ............................................ 47
dirx user Environment............................................................................. 47
Superuser Environment ........................................................................... 48
Chapter 6 Data Integration 49
Overview ....................................................................................................... 49
Getting Help with Data Integration.................................................................51
Installing the Data Integration Suite ............................................................... 52
Planning Data Integration .............................................................................. 52
Developing Data Integrators........................................................................... 52
Configuring Data Integrators .......................................................................... 53
Defining Logging Properties..................................................................... 53
Defining Properties for the Individual Processors .................................... 53
Database Reader ............................................................................... 54
LDAP Reader..................................................................................... 55
XML File Reader................................................................................ 56
Enterprise Audit File Reader.............................................................. 56
XML File Writer................................................................................. 57
XSLT Translator ................................................................................ 57
LDAP Writer...................................................................................... 58
Defining the Order of Processors............................................................. 58
Executing Data Integration............................................................................. 58
Examples of Data Integrators......................................................................... 59
VPN Directory Updater ............................................................................ 59
VPN Subscription Deactivator.................................................................. 61
Chapter 7 Backing Up the Directory 63
Backing Up the OpenLDAP Database ............................................................. 63
Restoring the OpenLDAP Database ................................................................ 64
Backing Up the DirX Database ....................................................................... 64
Restoring the DirX Directory Database .......................................................... 65
Backing Up the Sun ONE Database ................................................................ 65
Restoring the Sun ONE Database ................................................................... 65
Chapter 8 Access Control Scheme 67
Directory Configuration.................................................................................. 67
Directories ..................................................................................................... 68
User Class ...................................................................................................... 68
Permissions ................................................................................................... 68
Access Controls..............................................................................................69
Access Controls for the Entire Tree.......................................................... 69
Access Controls Against Objects from Type
cachedAuthentication Profile and UmcConfiguration ........................ 70
Access Controls Against sspServiceProfile ............................................... 70
Access Controls Against umcRadius Person and umcUser ...................... 71
Access Controls Against RADIUS Profiles................................................. 71
Access Controls Against the Policy Subtree.............................................. 72
Access Controls Against the Parameter Subtree....................................... 72
Access Controls for System Management ................................................ 73
Access Controls Against the Lock Subtree................................................ 73
Table of Contents ! vii
SDX 6.0.x Integration Guide
Access Controls Against Subscriber, Retailer, and Service Profiles........... 74
Access Controls Against the Network Subtree.......................................... 74
Access Controls Against Services and Mutex Group Objects .................... 75
Access Controls Against the Workflow Subtree........................................ 75
Access Controls Against the User Subtree ................................................ 76
Access Controls Against Service, Policy, and Global Parameter Objects... 76
Administrative Access Rights................................................................... 76
Activation Access Rights .......................................................................... 77
Subscription Access Rights ...................................................................... 77
Substitution Access Rights ....................................................................... 78
Common Access Rights for All Managers................................................. 78
Directory-Specific Access Control Implementation......................................... 79
DirX......................................................................................................... 79
OpenLDAP............................................................................................... 80
Netscape / iPlanet Directory Server ......................................................... 81
Assigning Operators to an Operator Group ....................................... 83
Deleting Operators from an Operator Group ..................................... 83
Part 3 RADIUS Servers
Chapter 9 Integrating Steel-Belted Radius/SPE 87
System Requirements .................................................................................... 88
Installing the Software ................................................................................... 88
First-Time Installations ............................................................................ 88
Previous Installations............................................................................... 89
Initial Configuration ....................................................................................... 90
Configuring UDP Ports ................................................................................... 91
Starting and Stopping the RADIUS Server ...................................................... 92
Extending Dictionary Files with JUNOSe Parameters ..................................... 92
Configuring LDAP Authentication................................................................... 94
[Bootstrap] Section .................................................................................. 95
[Settings] Section..................................................................................... 95
[Server] Section ....................................................................................... 96
[Server/serverName] Section ................................................................... 97
[Search/name] Section............................................................................. 97
[Attribute/name] Section ......................................................................... 98
[Request] Section...................................................................................100
[Response] Section ................................................................................100
Directed Authentication ...............................................................................101
Configuration Example ..........................................................................102
Customizing the Authentication Log File ......................................................103
RADIUS Client/Server Configuration.............................................................103
RADIUS Server Configuration ................................................................103
RADIUS Client Configuration .................................................................104
Administration User Interface................................................................104
Chapter 10 Integrating Merit RADIUS 109
System Requirements ..................................................................................110
Installing Merit AAA .....................................................................................110
LDAP Features .............................................................................................110
viii ! Table of Contents
Table of Contents
Configuring UDP Ports .................................................................................111
Starting and Stopping the RADIUS Server ....................................................112
Extending Dictionary Files with JUNOSe Parameters ...................................113
Configuring LDAP Authentication.................................................................115
Merit AAA Configuration........................................................................116
Configuring RADIUS Profiles with the LDAP Directory...........................118
Accounting Log File Format .........................................................................119
RADIUS Client/Server Configuration.............................................................120
RADIUS Server Configuration ................................................................120
RADIUS Client Configuration .................................................................120
Testing the Merit AAA Server .......................................................................121
Chapter 11 Integrating RAD-Series RADIUS Server 123
System Requirements ..................................................................................124
Installing the RAD-Series RADIUS Server......................................................124
LDAP Features .............................................................................................125
Configuring UDP Ports .................................................................................126
Starting and Stopping RAD-Series Server Manager.......................................126
Changing the UDP Ports ........................................................................128
Extending Dictionary Files with JUNOSe Parameters ...................................128
Configuring LDAP Authentication.................................................................131
RAD-Series Server Manager Configuration.............................................131
Configuring Realm Administration ........................................................135
Configuring LDAP Settings.....................................................................136
Configuration of RADIUS Profiles with the LDAP Directory....................136
Accounting Log File Format .........................................................................137
RADIUS Client/Server Configuration.............................................................138
RADIUS Server Configuration ................................................................138
RADIUS Client Configuration .................................................................139
Testing the RAD-Series RADIUS Server ........................................................140
Chapter 12 RADIUS Authorization and Accounting and Flat File Accounting 141
RADIUS Authorization..................................................................................141
RADIUS Accounting .....................................................................................141
Flat File Accounting......................................................................................144
Index 145
Table of Contents ! ix
SDX 6.0.x Integration Guide
x ! Table of Contents
About This Guide
This preface provides the following guidelines for using the SDX-300 Software for
Juniper Networks Routing Platforms Integration Guide:
! Objectives on page xi
! Audience on page xi
! Documentation Conventions on page xii
! Related Juniper Networks Documentation on page xiii
! Obtaining Documentation on page xiv
! Documentation Feedback on page xiv
! Requesting Support on page xiv
Objectives
This guide describes how to integrate JUNOSe routers and the JUNOS routing
platform with SDX. It also discusses how to integrate SDX with a Lightweight
Directory Access Protocol (LDAP) directory server and a RADIUS AAA solution.
NOTE: If the information in the latest SDX Release Notes differs from the
information in this guide, follow the SDX Release Notes.
The SDX-300 software is the current implementation of the Service Deployment
System software. We refer to the product throughout the documentation simply as
the SDX software.
Audience
This guide is intended for experienced system and network specialists working with
JUNOSe routers and JUNOS routing platforms in an Internet access environment.
We assume that readers are familiar with Lightweight Directory Access Protocol
(LDAP) and the UNIX operating system. We also assume that readers know how to
use the routing platforms, directories, and RADIUS servers that they will deploy in
their SDX networks.
Objectives ! xi
SDX 6.0.x Integration Guide
Documentation Conventions
The sample screens used throughout this guide are representations of the screens
you will see when you install and configure the SDX software. The actual screens
may differ.
For convenience and clarity, the installation and configuration examples show
default file paths. If you do not accept the installation defaults, your paths will vary
from the examples.
Table 1 defines notice icons used in this guide. Table 2 defines text conventions
used throughout the documentation.
Table 1: Notice Icons
Icon Meaning Description
Informational note Indicates important features or instructions.
Caution Indicates a situation that might result in loss of data or
hardware damage.
Warning Alerts you to the risk of personal injury.
Table 2: Text Conventions
Convention Description Examples
Bold typeface Represents commands, keywords, ! Use the pkgadd tool.
scripts, options, and tools in text. ! Specify the keyword exp-msg.
! Run the install.sh script with the -unconfig
option.
Bold sans serif typeface Represents text that the user must type. user input
Plain sans serif typeface Represents information as displayed on struct DirectoryAccessInfo {
your terminal’s screen. sequence ldapHost;
string baseDN;
};
Angle brackets Indicate variables. Another run-time variable is .
Key name Indicates the name of a key on the Press Enter.
keyboard.
Key names linked with a plus Indicates that you must press two or Press Ctrl+b.
sign (+) . more keys simultaneously.
Italics ! Emphasize words. ! There are two levels of access: user and
! Identify chapter, appendix, and book
privileged.
names. ! Chapter 2, Services.
! Identify distinguished names. ! o=Users, o=umc
! Identify files, directories, and paths in ! The /etc/default.properties file.
text but not in command examples.
xii ! Documentation Conventions
About This Guide
Table 2: Text Conventions (continued)
Convention Description Examples
Backslash At the end of a line, indicates that the Plugin.radiusAcct-1.class=\
text wraps to the next line. net.juniper.smgt.sae.plugin\
RadiusTrackingPluginEvent
Words separated by the | symbol Represent a choice to select one diagnostic | line
keyword or variable to the left or right
of this symbol. (The keyword or
variable may be either optional or
required.)
Related Juniper Networks Documentation
With each SDX-300 software release, we provide the SDX-300 Documentation CD
(referred to as the SDX documentation CD), which contains the documentation
described in Table 3.
With each SDX Application Library release, we provide the SDX Application Library
CD (referred to as the application library CD). This CD contains both the software
applications and the SDX Application Library Guide.
A complete list of abbreviations used in this document set, along with their
spelled-out terms, is provided in the SDX Software Basics Guide.
Table 3: Juniper Networks SDX Technical Publications
Document Description
SDX Software Basics Guide Provides an overview of the SDX software, the installation procedures for the SDX
software, and high-level instructions for SDX implementations. The guide also
describes how to use the SDX configuration tools, and includes reference material
for the SDX documentation.
SDX Components Guide, Vol. 1 Describes how to use the SAE, the License Manager, and the SNMP agent. For
each SDX component, the guide provides an overview, installation details,
configuration procedures, management information, and, if appropriate, API
information. This guide also covers logging utilities and directory events for SDX
components.
SDX Components Guide, Vol. 2 Describes how to use the residential portal, the enterprise portals, and the NIC.
For each SDX component, the guide provides an overview, installation details,
configuration procedures, management information, and, if appropriate, API
information.
SDX Integration Guide Describes how to integrate external components—routers, directories, and
RADIUS servers—into the SDX network. The guide provides detailed information
for integrating specific models of the external components, such as JUNOSe
routers and JUNOS routing platforms.
SDX Objects Guide Describes how to work with SDX objects such as subscribers, services,
subscriptions, and policies. For each type of object, the guide provides an
overview, information about creating the object, and information about managing
the object. The guide also provides information about the SDX tools for
configuring policies.
SDX Comprehensive Index Provides a complete index of all SDX software books.
Related Juniper Networks Documentation ! xiii
SDX 6.0.x Integration Guide
Table 3: Juniper Networks SDX Technical Publications (continued)
Document Description
Application Library
SDX Application Library Guide Describes how to install and work with the SDX gateway Web applications, the
Workflow application, the Admission Control Plug-In, the volume-tracking
applications, and the prepaid services demonstration application.
Release Notes
SDX Release Notes In the Release Notes, you will find the latest information about features, changes,
SDX Application Library Release Notes known problems, resolved problems, and system maximum values. If the
information in the Release Notes differs from the information found in the
documentation set, follow the Release Notes.
Release notes are included on the corresponding software CD and are available on
the Web.
Obtaining Documentation
To obtain the most current version of all Juniper Networks technical documentation,
see the products documentation page on the Juniper Networks Web site at
http://www.juniper.net.
To order printed copies of this manual and other Juniper Networks technical
documents, or to order a documentation CD, which contains this manual, contact
your sales representative.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation to better meet your needs. You can send your
comments to techpubs-comments@juniper.net, or fill out the documentation
feedback form at http://www.juniper.net/techpubs/docbug/docbugreport.html. If
you are using e-mail, be sure to include the following information with your
comments:
Along with your comments, be sure to indicate:
! Document name
! Document part number
! Page number
! Software release version
Requesting Support
For technical support, open a support case using the Case Manager link at
http://www.juniper.net/support or call 1-888-314-JTAC (within the United States) or
1-408-745-9500 (outside the United States).
xiv ! Obtaining Documentation
Part 1
Routers
Routers ! 1
SDX 6.0.x Integration Guide
2 ! Routers
Chapter 1
Integrating JUNOSe Routers
This chapter describes how to integrate the JUNOSe router into the SDX network,
how to monitor the interactions between the SAE and the JUNOSe router, and how
to troubleshoot SDX problems on the router. This chapter contains the following
sections:
! Overview on page 3
! Integration Tasks on page 3
! Disabling Interactions Between the SAE and the JUNOSe Router on page 5
! Monitoring Interactions Between the SAE and the JUNOSe Router on page 6
! Troubleshooting on page 6
Overview
All SDX releases support operation of the SDX software on JUNOSe routers. For
information about which JUNOSe releases a particular SDX release supports, refer
to the SDX Release Notes.
Configuring the SDX client on a JUNOSe router opens a Common Open Policy
Service usage for policy provisioning (COPS-PR) protocol layer connection to the
SAE. When the SDX client software establishes a TCP/IP connection to the SAE, the
SAE starts to manage the JUNOSe router. Subsequently, the SDX client sends
configuration changes made on the JUNOSe router to the SAE, and the SAE updates
SDX configurations for services and policies accordingly.
Integration Tasks
To integrate the JUNOSe router into the SDX network, you must:
1. Configure the SAE to manage the JUNOSe router.
2. Configure the JUNOSe router to interact with the SAE.
3. Add the JUNOSe router and its virtual routers to the directory.
Overview ! 3
SDX 6.0.x Integration Guide
Configuring the SAE to Manage JUNOSe Routers
To configure the SAE to manage a JUNOSe router, you must install the SDX software
and configure the SAE to interact with the JUNOSe router. For information about
these tasks see the SDX Software Basics Guide and SDX Components Guide, Vol. 1,
Chapter 2, Configuring the SAE.
Configuring the JUNOSe Router to Interact with the SAE
You should be familiar with the CLI for the JUNOSe router. The JUNOSe router
employs an SDX client to interact with the SAE. See JUNOSe Broadband Access
Configuration Guide and JUNOSe Command Reference Guide for complete information
about configuring the SDX client on the JUNOSe router. To begin configuration of
the SDX client on the JUNOSe router, Telnet to the router and access Global
Configuration mode:
host1#configure terminal
Configuring the SNMP Server on the JUNOSe Router
The various scripts in the SDX software use SNMP to get necessary information. For
example, staticRoute route script uses SNMP to install the route for the virtual IP
address. The poolPublisher script uses SNMP to read the IP pools.
Access to the SNMP server by an SNMP client is governed by a proprietary SNMP
community table that identifies those communities that have read-only, read-write,
or administrative permission to the SNMP MIB stored on a particular server.
When an SNMP server receives a request, the server extracts the client’s IP address
and the community name. The SNMP community table is searched for a matching
community. If a match is found, its access list name is used to validate the IP
address. If the access list name is null, the IP address is accepted. A nonmatching
community or an invalid IP address results in an SNMP authentication error.
To configure the SNMP agent:
1. Switch to the virtual router for which you want to create an SDX client.
host1#(config)virtual-router
2. Enable the SNMP agent.
host1:#(config)snmp-server
3. Configure at least one authorized SNMP read-write community (SNMPv1/v2c),
which provides SNMP client access.
host1:(config)#snmp-server community boston rw
4. (Optional) Configure a read-only community.
host1:#(config)snmp-server public ro
4 ! Integration Tasks
Chapter 1: Integrating JUNOSe Routers
On the SAE side, you use SDX Admin to configure the community string(s) for
individual VRs where an SNMP server has been configured. The community
string(s) are stored in the directory for that VR under o=umc, o=Network,
orderedCimKeys=. If a VR does not exist on the JUNOSe router or
the community strings have not been configured for the VR, then the SAE uses the
default community values configured in the SAE property object:
! Router.read-only.community.string
! Router.read-write.community.string
These global default values are configurable via the Router tab of the SDX
Configuration Editor.
You can optionally configure other settings for the SNMP server on the JUNOSe
router. See the documentation for the JUNOSe router for more information.
Starting the SDX Client on the JUNOSe Router
To start the SDX client:
1. Switch to the virtual router for which you want to create an SDX client.
host1(config)#virtual-router
2. Enable the SDX client.
host1:(config)#sscc enable cops-pr
3. Set the primary address from the configuration directory.
host1:(config)#sscc primary address port 3288
Stopping the SDX Client on the JUNOSe Router
To stop the SDX client:
host1:(config)#no sscc enable
Adding JUNOSe Routers to the Directory
You must add each JUNOSe router that the SAE manages to the directory. For
information about this procedure, see SDX Objects Guide, Chapter 4, Managing
Routers and Virtual Routers.
Disabling Interactions Between the SAE and the JUNOSe Router
To disable interactions between the SAE and the JUNOSe router, disable the SDX
client on the router.
host1:(config)#no sscc enable
Disabling Interactions Between the SAE and the JUNOSe Router ! 5
SDX 6.0.x Integration Guide
Monitoring Interactions Between the SAE and the JUNOSe Router
Use the show sscc info command on the JUNOSe router to monitor the connection
between the router and the SAE. The show sscc version command displays the
version number of the SDX client. See the JUNOSe Command Reference Guide for
details on these commands.
You can also monitor the interactions between the SDX software and the router in
the log files for the SAE and in the log files generated by the JUNOSe router. For
information about configuring logging for the SAE, see SDX Components Guide, Vol.
1, Chapter 11, Configuring Logging. For information configuring logging on JUNOSe
routers, see JUNOSe System Basics Configuration Guide.
Troubleshooting
To troubleshoot SDX problems on the router:
1. Check the log files for the SAE and the log files generated by the SDX client on
the JUNOSe router.
! If the log files indicate a problem with specific interfaces on the router,
check the configuration of the associated policies in the SDX software, and
fix any errors.
! If the log files indicate a problem with a specific service or its associated
policy rules, check the configuration of the service or policies in the SDX
software, and fix any errors.
! If the log files indicate only that the SDX client is not responding, check
that the values in the SAE configuration match the values in the SDX client
configuration on the router.
2. Restart the SDX client on the JUNOSe router.
When you restart the SDX client, the SDX client removes all policies that were
installed by the SDX software and reports all interfaces again.
NOTE: DHCP addresses that were managed are not reported again, so we
recommend that you do not restart the SDX client if you are managing DHCP
sessions.
To restart the SDX client, enter the following commands:
host1:(config)#no sscc enable
host1:(config)#sscc enable
If restarting the SDX client does not resolve the problem, you should rebuild the
router configuration and restart the client.
6 ! Monitoring Interactions Between the SAE and the JUNOSe Router
Chapter 2
Integrating JUNOS Routing Platforms
This chapter describes how to integrate the JUNOS routing platform into the SDX
network, how to monitor the interactions between the SAE and the JUNOS routing
platform, and how to troubleshoot SDX problems on the JUNOS routing platform.
This chapter contains the following sections:
! Overview on page 7
! Integration Tasks on page 8
! Disabling Interactions Between the SAE and the JUNOS Routing Platform on
page 10
! Monitoring Interactions Between the SAE and the JUNOS Routing Platform on
page 10
! Troubleshooting on page 11
Overview
For information about which JUNOS routing platforms and releases a particular SDX
release supports, refer to the SDX Release Notes.
The SAE interacts with a JUNOS software process, referred to as the SDX software
process in this documentation, on the JUNOS routing platform. The SAE and the
SDX software process communicate using the Blocks Extensible Exchange Protocol
(BEEP).
When the SDX software process establishes a BEEP session for the SAE, the SAE
configures an interface on the JUNOS routing platform. The SAE builds the
configuration for an interface using the policies stored in the directory. If the
policies are subsequently modified, the SAE builds a new configuration and
reconfigures the interface on the JUNOS routing platform.The JUNOS routing
platform stores data about interfaces and services that the SAE manages in a
configuration group called sdx. You must create this configuration group on the
JUNOS routing platform. Similarly, the JUNOS routing platform stores data about
subscriber sessions, service sessions, and interface sessions in another
configuration group called sdx-sessions; however, the SAE automatically creates this
group on the JUNOS routing platform.
Overview ! 7
SDX 6.0.x Integration Guide
Integration Tasks
To integrate the JUNOS routing platform into the SDX network, you must:
1. Configure the SAE to manage the JUNOS routing platform.
2. Configure the JUNOS routing platform to interact with the SAE.
3. Configure the JUNOS routing platform to apply changes that it receives from the
SAE.
4. Add the JUNOS routing platform and an associated VR called default to the
directory.
Configuring the SAE to Manage JUNOS Routing Platforms
To configure the SAE to manage the JUNOS routing platform, you must install the
SDX software and configure the SAE to interact with the JUNOS routing platform.
For information about these tasks see SDX Components Guide, Vol. 1, Chapter 2,
Configuring the SAE.
Configuring the JUNOS Routing Platforms to Interact with the SAE
To configure the JUNOS routing platform to interact with the SAE, include the
following statements at the [edit system services service-deployment] hierarchy level.
[edit system services service-deployment]
servers server-address {
port port-number;
}
source-address source-address;
Use the following guidelines for the variables in these statements.
server-address
! Specifies the IP address of the host on which you install the SAE.
! Value—IP address
! Guidelines—Be sure this setting matches the corresponding value in the SAE
configuration.
! Default—None
! Example—192.0.2.2
8 ! Integration Tasks
Chapter 2: Integrating JUNOS Routing Platforms
port-number
! Specifies the port number for the SAE; this setting must match the value in the
SAE configuration.
! Value—TCP port number
! Guidelines—Be sure this setting matches the corresponding value in the SAE
configuration.
! Default—3333
! Example—3333
source-address
! Specifies the IP address of the source that sends traffic to the SAE.
! Value—IP address
! Guidelines—This setting is optional.
! Default—None
! Example—192.0.2.2
For complete information about configuring the JUNOS routing platform, see the
JUNOS Internet Software documentation.
Configuring the JUNOS Routing Platform to Apply Changes It Receives from the SAE
To configure the JUNOS routing platform to receive configuration statements from
the SAE and apply those statements to the configuration:
1. Create a configuration group called sdx that contains the configuration
statements that the SAE sends to the JUNOS routing platform. To do so, include
the groups statement at the [edit] level and specify the name sdx:
[edit]
groups {
sdx;
}
2. Configure the JUNOS routing platforms to apply these statements to the
configuration. To do so, include the apply-groups statement at the [edit] level:
[edit]
apply-groups sdx;
Adding JUNOS Routing Platforms to the Directory
You must add each JUNOS routing platform that the SAE manages to the directory.
For information about this procedure, see SDX Objects Guide, Chapter 4, Managing
Routers and Virtual Routers.
Integration Tasks ! 9
SDX 6.0.x Integration Guide
Disabling Interactions Between the SAE and the JUNOS Routing Platform
To disable the SDX software process, enter the following command.
root@ui1#set system processes service-deployment disable
root@ui1#commit
When you disable the SDX software process, it is still available on the JUNOS
routing platform.
To reenable the SDX software process, enter the following command.
root@ui1#delete system processes service-deployment disable
root@ui1#commit
The SDX software process attempts to reconnect the JUNOS routing platform to the
SAE.
Monitoring Interactions Between the SAE and the JUNOS Routing Platform
Use the following command on the JUNOS routing platform to monitor the
connection between the JUNOS routing platform and the SAE.
root@ui1> show system services service-deployment
Connected to 172.17.20.151 port 3333 since 2004-02-06 14:50:31 PST
Keepalive settings: Interval 15 seconds
Keepalives sent: 100, Last sent: 6 seconds ago
Notifications sent: 0
Last update from peer: 00:00:06 ago
You can also monitor the interactions between the SDX software and the JUNOS
routing platform in the log files for the SAE and in the log files generated by the SDX
software process on the JUNOS routing platform. For information about configuring
logging for the SAE, see SDX Components Guide, Vol. 1, Chapter 11, Configuring
Logging. For information configuring logging on JUNOS routing platforms, see
JUNOS System Basics Configuration Guide.
10 ! Disabling Interactions Between the SAE and the JUNOS Routing Platform
Chapter 2: Integrating JUNOS Routing Platforms
Troubleshooting
To troubleshoot SDX problems on the JUNOS routing platform, check the log files
for the SAE and the log files generated by the SDX software process on the JUNOS
routing platform.
! If the log files indicate that the SDX software process is not responding, see
Troubleshooting Problems with the SDX Software Process on page 11.
! If the log files indicate a problem with a specific interface on the JUNOS routing
platform, see Troubleshooting Problems with Interfaces on page 11.
! If the log files indicate a problem with a specific service or its associated
firewall rules, see Troubleshooting Problems with Services on page 13.
Troubleshooting Problems with the SDX Software Process
If the log files indicate that the SDX software process is not responding:
1. Check the status of the process on the JUNOS routing platform.
root@ui1>show system services service-deployment
Connected to 172.17.20.151 port 3333 since 2004-02-06 14:50:31 PST
Keepalive settings: Interval 15 seconds
Keepalives sent: 100, Last sent: 6 seconds ago
Notifications sent: 0
Last update from peer: 00:00:06 ago
2. If you see the message “error: the service-deployment subsystem is not
running,” reenable the SDX software process (see Disabling Interactions
Between the SAE and the JUNOS Routing Platform on page 10).
3. If the process is already enabled, check the configurations of the router and the
SAE in the directory, and fix any problems.
4. Restart the SDX software process on the JUNOS routing platform.
root@ui1>restart service-deployment
root@ui1#commit
The SAE synchronizes with the SDX software process and deletes unnecessary
data on the JUNOS routing platform.
Troubleshooting Problems with Interfaces
If the log files indicate a problem with a specific interface or its associated firewall
rules:
1. Use SAE Web Admin to check the configuration of the policies associated with
the interfaces (see SDX Components Guide, Vol. 1, Chapter 3, Starting and
Managing the SAE).
If you find any errors, fix the configuration in the directory, and proceed to Step
4. Otherwise, proceed to Step 2.
Troubleshooting ! 11
SDX 6.0.x Integration Guide
2. Check the configuration of interfaces on the JUNOS routing platform.
a. Access the State page in SAE Web Admin and click the Interfaces option.
b. In this page, list all the interfaces or search for a particular interface.
c. When the page displays the interfaces that match your search, click the link
to the interface.
d. Display the corresponding interfaces on the JUNOS routing platform.
root@olive1# show groups sdx interfaces
{
unit {
family inet {
filter {
input SDX_PRIVATE_ID0000000000001092282;
output SDX_PRIVATE_ID0000000000001223352;
}
}
}
}
If you find any errors, fix the configuration in the directory, and proceed to Step 4.
Otherwise, proceed to Step 3.
12 ! Troubleshooting
Chapter 2: Integrating JUNOS Routing Platforms
3. Remove the configuration for this interface from the JUNOS routing platform.
a. Disable the SDX software process.
root@ui1#set system processes service-deployment disable
root@ui1#commit
b. Delete the interfaces on the JUNOS routing platform:
delete groups sdx interfaces
root@ui1#commit
For example, to delete the interface with identifier fe-0/0/0 unit 0, enter
root@ui1#delete groups sdx interfaces unit
root@ui1#commit
c. Reenable the SDX software process.
root@ui1#delete system processes service-deployment disable
root@ui1#commit
4. Restart the SDX software process on the JUNOS routing platform.
root@ui1>restart service-deployment
root@ui1#commit
The SAE reconfigures the interface you deleted on the JUNOS routing platform.
5. Review the log files again.
If the action you took did not fix the problem, return to the last step you
performed, and proceed with this troubleshooting procedure. If you have
performed all the tasks in the troubleshooting procedure and the problem
persists, delete all interface sessions and services on the JUNOS routing
platform (see Deleting All Interface Sessions and Services on page 16).
Troubleshooting Problems with Services
If the log files indicate a problem with a specific service or its associated firewall
rules:
1. Use SAE Web Admin to check the configuration of the service or firewall rule in
the directory (see SDX Components Guide, Vol. 1, Chapter 3, Starting and
Managing the SAE).
If you find any errors, fix the configuration in the directory and proceed to Step
4. Otherwise, proceed to Step 2.
2. Check the configuration of the policies and substitutions associated with the
service or firewall rule in the directory,
If you find any errors, fix the configuration in the directory and proceed to Step
5. Otherwise, proceed to Step 3.
Troubleshooting ! 13
SDX 6.0.x Integration Guide
3. Check the configuration of the service on the JUNOS routing platform.
a. Access the State page in the SAE Web Admin (see SDX Components Guide,
Vol. 1, Chapter 3, Starting and Managing the SAE).
b. List all subscribers for the JUNOS routing platform or search for a specific
subscriber that uses this service.
The page displays a list of the subscribers that you matched your search.
c. Click the link to the subscriber who is using this service.
The page displays sessions and profiles for this subscriber.
d. Scroll to an active service session for this service and observe the
ProvisioningSet field of that session.
e. Locate an identifier that is associated with the service that is causing the
problem.
For example, in the above display, the identifier
SDX_PRIVATE_ID0000000000002075317 is associated with a NAT rule.
f. Check the corresponding configuration on the JUNOS routing platform.
root@olive1# show groups sdx services nat rule SDX_PRIVATE_ID0000000
000002075317
match-direction input;
term SDX_PRIVATE_TERM {
from {
source-address {
0.0.0.0/0;
}
destination-address {
0.0.0.0/0;
}
}
then {
translated {
source-pool SDX_PRIVATE_ID0000000000002009780;
translation-type source dynamic;
}
}
}
If you find any errors, fix the configuration in the directory and proceed to
Step 5. Otherwise, proceed to Step 4.
14 ! Troubleshooting
Chapter 2: Integrating JUNOS Routing Platforms
4. Remove the configuration for this service from the JUNOS routing platform.
a. Disable the SDX software process.
root@ui1#set system processes service-deployment disable
root@ui1#commit
b. Delete the service on the JUNOS routing platform:
delete groups sdx services
root@ui1#commit
For example, to delete a firewall filter of the service called firewall with
filterID SDX_PRIVATE_ID0000000000001223352, enter:
delete groups sdx services firewall filter
SDX_PRIVATE_ID0000000000001223352
root@ui1#commit
c. Reenable the SDX software process.
root@ui1#delete system processes service-deployment disable
root@ui1#commit
5. Restart the SDX software process on the JUNOS routing platform.
root@ui1>restart service-deployment
root@ui1#commit
The SAE reconfigures the service you deleted on the JUNOS routing platform.
6. Review the log files again.
If the action you took did not fix the problem, return to the last step you
performed, and proceed with this troubleshooting procedure. If you have
performed all the tasks in the troubleshooting procedure and the problem
persists, delete all interface sessions and services on the JUNOS routing
platform (see Deleting All Interface Sessions and Services on page 16).
Troubleshooting ! 15
SDX 6.0.x Integration Guide
Deleting All Interface Sessions and Services
If deleting parts of the SDX data on the JUNOS routing platform fails to solve
problems, delete all the SDX data and restart the SDX software process. To do so:
1. Delete all SDX interfaces, services, and interface sessions.
delete groups sdx
delete groups sdx-sessions
root@ui1#commit
2. Restart the SDX software process on the JUNOS routing platform.
root@ui1>restart service-deployment
root@ui1#commit
The SAE reconfigures all the interfaces and services that you deleted on the
JUNOS routing platform.
16 ! Troubleshooting
Part 2
Directories
Directories ! 17
SDX 6.0.x Integration Guide
18 ! Directories
Chapter 3
Mapping Object Model to LDAP Schema
The Lightweight Directory Access Protocol (LDAP) directory serves the role of a
common object repository holding all information that is shared by the SDX
components, such as the SAE, RADIUS, policy management and others.
This chapter contains the required information for mapping the object model into
the LDAP schema, and contains the following sections:
! LDAP Overview on page 19
! Mapping the Object Model to LDAP Schema on page 20
! LDAP Schema Files on page 20
! Object Classes on page 20
! Attribute Types on page 24
! Structure Rules on page 24
! Content Rules on page 33
! Name Forms on page 34
LDAP Overview
The SDX directory schema is based on X.500/LDAP standards and the Common
Information Model version 2.5 (CIM 2.5) schemas. The SDX schema includes
additional elements for modeling primary access services, value-added services,
outsourced services, residential, enterprise and retail customers, policies, network
elements and others.
Depending on the component, the access rights differ. For example, RADIUS needs
to have sufficient rights to read and compare user passwords that are part of the
RADIUS profiles, but RADIUS does not require absorbing of any other user
passwords. In addition, RADIUS does not require to perform any modification,
creation or deletion of the entries.
LDAP Overview ! 19
SDX 6.0.x Integration Guide
Mapping the Object Model to LDAP Schema
The LDAP schema defines the content and structure of the directory tree.
The schema supports:
! Scalability—Easy directory distribution to many directory servers
! Stability—Object deletion in the directory does not break the information
model
! Manageability—Tree structure allows easy access controls
! Accessibility—Directory is optimized toward search performance and is easily
accessible from the clients
NOTE: Standardized schema elements are used as much as possible to support the
above.
LDAP Schema Files
For your convenience, the LDAP schema files are provided in HTML format on the
SDX-300 Software CD in the directory SDK/doc/ldap. This directory comprises the
following subdirectories:
! objectClasses—Provides object classes listed alphabetically.
! attributeTypes—Provides the attribute types listed alphabetically.
! nameForms—Provides name forms listed alphabetically.
! contentRules—Provides all content rules listed by content rule ID.
! structureRules—Provides all structure rules listed by structure rule ID.
An HTML file called sdxSchemaIndex provides a hyperlinked index of the LDAP
schema attribute types and related object classes.
Object Classes
Each object class is derived from the abstract object class top where the values of
the attribute type objectClass describe the kind of object that an entry represents.
The objectClass attribute is present in every entry with at least two values; one entry
is “top”.
The dlm1ManagedElement is an abstract class that provides a common superclass,
or top of the inheritance tree, for nonassociation classes in the Common
Information Model (CIM) schema. It includes the attributes dlmCaption and
dlmDescription.
20 ! Mapping the Object Model to LDAP Schema
Chapter 3: Mapping Object Model to LDAP Schema
To support naming in the LDAP mapping of the core Distributed Management Task
Force (DMTF) schema, the attribute orderedCimKeys is defined to provide the
relative distinguished name (RDN) for directory implementations.
The Juniper Networks management products make use of the Directory Information
Tree (DIT) containments (that is, the hierarchy of the tree for associations) and uses
single attribute values for naming attributes. This means, whenever orderedCimKeys
is used as a naming attribute, the RDN looks like orderedCimKeys=ERX01. This
example depicts the RDN of an edge router chassis.
The dlm1ManagedSystemElement is the base class for the system element hierarchy.
Any distinguishable component of a system is a candidate for inclusion in this class.
Examples of this are software components, such as files, devices, disk drives and
controllers, and physical components, such as chips and cards.
Object Class Tables
Object class tables are provided in the subdirectory objectClasses in HTML format.
This directory is located on your SDX software CD in the folder SDK/doc/ldap.
A hyperlinked table that contains attribute types and related objects is provided in
the HTML file sdxSchemaIndex. This table is also located in the folder SDK/doc/ldap.
Object Representing Folders
Folders divide the directory information tree into logical subtrees. The content
prefix of the UMC tree is o=umc. The tree is divided into subtrees for subscribers
and service profiles, services, networks, policies, workflows, authentication profiles
for equipment registration for DHCP users, and authentication for persistent login
for DHCP users.
The object class organizationalUnit is used for creating folders under the first level of
folders; that is,
ou=,retailerName=,o=Users, o=umc
The first-level folders under o=umc are created during the setup of the directory.
The second-level folders are created with the SDX Admin component.
The standard object classes organization and organizationalUnit divide trees into
subtrees. The SDX components expect additional parameters in some cases that
are not part of the object classes. This additional information is part of an auxiliary
class, called moreInformationAuxClass, that can be attached to organization and or
organizationalUnit.
Subscriber Objects
There are several types of subscribers:
! Residential users
! Enterprises
! Sites
Object Classes ! 21
SDX 6.0.x Integration Guide
! Accesses
! Subscriber folders
! Retailers
The folders underneath the Retailer object can be marked as umcSubscribers. This
provides a better grouping mechanism for Service Selection Portal (SSP) services.
Service Template Objects
Service templates consist of service-specific information. UMC supports four kinds
of high-level services:
! RADIUS services (PPP and DHCP broadband services)
! Access services (leased line for enterprises)
! SSP service (for residential and enterprise users)
! Outsourced services (for retail provider)
All service templates are stored under o=Services,o=umc. SSP services can be
stored under l=,o=Scopes,o=umc as well.
The SDX application supports parameter substitution for the SSP services, as well as
for the instance, indicating the scope of an sspService, which is realized by using the
object class locality. The parameter substitution requires the attachment of the
object class parameterAuxClass to locality and sspService.
We recommend that the policies, state machines, and workflows be defined and
created in the directory before the service template creation, since references to
these objects are done at that time. The service definition interface should provide
LDAP search functionality that retrieves all available policies, state machines, and
workflows.
Subscription Profile Objects
When a subscriber (that is, either residential, retailer, enterprise, site or access)
subscribes to an offered service that is modeled by the service template objects, the
UMC subscription component creates a subscription profile called the
umcServiceProfile. The umcServiceProfile subscription is created as a subordinate of
the subscriber object in the tree. The SDX application supports parameter
substitution for SSP service subscriptions, which means that the auxiliary object
class parameterAuxClass can be attached to an instance of sspServiceProfile.
22 ! Object Classes
Chapter 3: Mapping Object Model to LDAP Schema
Policy Objects
The Policy Information model for SDX software is based on the Policy Core
Information Model (PCIM) that is mapped to the Policy Framework LDAP core
schema in IETF. SDX software extends this model to be very close to the Policy
model the router uses. A policy group object consists of one or more policy lists
which contain one or more policy rules. A policy rule consists of policy actions and
policy conditions. The objects policy group, policy list, and policy rules are mapped
to structural object classes. Each of these classes is derived from the object class
policy.
Network-Device Objects
The physical aspect of network elements is modelled with CIM classes. As a result,
the object class dlm1Chassis is used for any Juniper Networks equipment as well as
any network devices that are part of the connection path. There might be
congestions points along that connection path. Those connection points are
modeled by the object class networkInterface, which are subordinates of the
network-device objects within the directory tree.
The SSP requires information about the logical aspects of the router, such as virtual
routers or interface classifications. These aspects are modelled by the UMC class
umcVirtualRouter. Objects from the type umcVirtualRouter are children of the entry.
The umcClassificationProfile is an auxiliary object class that is attached to the entry.
Those network devices are used for grouping the virtual routers within the tree and
are stored in the folder o=network,o=umc.
The network devices used for grouping the congestion points are stored in the
folder o=AdmissionControl,o=umc.
Workflow and OSM Schema Elements
Workflows can be stored in the UMC directory in bytecode format. Workflows and
state-machines are stored in the o=Workflows,o=umc tree. Whenever objects are
locked by the OSM, the locked objects are stored in o=Locks,o=umc.
Configuration and System Management
Parts of the SSP configuration are stored in the directory. Besides the configuration
itself, the license strings of the SAE are stored in the directory as well.
The agent and console discovery in the system management component of UMC
needs to obtain information about where to send traps, and about the list of agents
that the system management console must deal with.
All configuration and management objects are stored in the DIT subtree with the
base o=Management,o=umc.
The CIM class dlm1UnitaryComputerSystem represents the computer systems where
SAE and SM components are installed. The object class umcHost is therefore
replaced by the CIM class dlm1UnitaryComputerSystem, where the IP address is kept
in the CIM attribute dlmIdentifyingDescriptions. The location (for example, POP A) is
specified in dlmOtherIdentifyingInfo.
Object Classes ! 23
SDX 6.0.x Integration Guide
Attribute Types
An attribute is a parameter or value that can be specified for an object.
An alphabetical list of attribute types is provided in HTML format in the
subdirectory attributeTypes, which is located on your SDX software CD in the folder
SDK/doc/ldap.
A hyperlinked table that contains attribute types and related objects is provided in
the HTML file called sdxSchemaIndex. This file is also located in the folder
SDK/doc/ldap.
Structure Rules
The directory information tree (DIT) structure rules state which classes of object can
be subordinate to other classes of an object in the DIT. For example, it is sensible to
have service profiles subordinate to users. The DIT structure rules stop entries of the
wrong (structural) object class from being put into an inappropriate place in the DIT.
If you try to make an inappropriate entry, you will get an error message.
The structure rules are important to model dependencies.Structure Rule
Sr1—organizationalNameForm—allows the creation of the root directory o=umc,
which is the content prefix of the UMC directory.
Structure Rule Sr2—personNameForm—allows the umcAdmin directory under:
! o=umc, which contains the root directory (with Sr1 is the superior structure
rule)
! Other operating entities (Sr3 is the superior structure rule)
! o=operators,o=umc, which contains second-level organizations
! SDX components (Sr4 is the superior structure rule) that are stored in the folder
ou=components,o=operators,o=umc
! cn=EntMgrX,enterpriseName=EntX,ou=Location, retailerName=Retailer,
o=Users,o=umc, which contains enterprise operators
NOTE: Enterprise operators can be subordinates of umcEnterprise, umcSite, and
umcAccessServiceProfile objects, where structure rules Sr30, Sr31, and Sr32 are
superior structure rules.
Structure Rule Sr3—organizationalNameForm—allows the creation of one
organization layer under the root, which is used to separate the tree into two or
more subtrees, holding specific information. The SDX application expects the
following folders under o=umc:
! o=Users,o=umc, which contains subscriber information (including service
profiles)
! o=Services,o=umc, which contains service information
24 ! Attribute Types
Chapter 3: Mapping Object Model to LDAP Schema
! o=Scopes,o=umc, which contains scopes that define a group of virtual routers
and SSP services, valid for the defined scope
! o=Policies,o=umc, which contains policy information
! o=Parameters,o=umc, which contains global parameter information
! o=Network,o=umc, which contains network information
! o=AuthCache,o=umc
! o=UserProfileCache,o=umc
! o=Workflows, o=umc, which contains workflow and state machine objects
! o=Locks,o=umc, which contains objects that are locked by transaction
! o=Servers,o=umc
! o=Management,o=umc, which contains configuration and system
management information
! o=Operators,o=umc, which contains operators, operator groups and SDX
components
Structure Rule Sr4—organizationalUnitNameForm—allows the creation of
second-level folders that are represented by organizationalUnit objects. These
folders are used to separate information based on some logic. The second-level
folders are allowed in the servers, management, policies, and operators’ subtrees.
This structure provides for a more flexible way to distribute or replicate the
directory in a granular way. It also makes it easier to define access controls. These
folders are also used in the subscriber subtree underneath the retailer object when
the superior rule is identical to structure rule Sr6.
Structure Rule Sr6—umcRetailerNameForm—allows retailer objects to be created
under the subscriber subtree (see structure rule Sr3).
Structure Rule Sr5—umcUserNameForm—defines the creation of umcUser objects,
which are derived from the inetOrgPerson object class. These users are created
under the second-level folders, which are defined in structure rule Sr4. In addition,
the concept of user groups for households is introduced. As a result, umcUser
objects can be created as subordinates to an existing umcUser object. Structure rule
Sr29 allows the creation of a second-level user. Because only retailers can subscribe
to outsourced services, umcOutsourcingServiceProfiles must be subordinate to
retailer objects, which are controlled by structure rule Sr25.
Residential subscribers are allowed to subscribe to RADIUS and SSP services. The
subscription process therefore creates objects from the types umcRadiusPerson and
sspServiceProfile as children of the user object. Structure rules Sr7 and
Sr8—sspServiceProfileNameForm and umcRadiusPersonNameForm objects—allow
these object creations.
Structure Rules ! 25
SDX 6.0.x Integration Guide
Enterprise customers are created at the same level as residential customers. This
level is subordinate to the second-level folder. Structure rule
Sr30—umcEnterpriseNameForm—provides this functionality. Site objects can be
created underneath any enterprise object, as governed by structure rule
Sr31—umcSiteNameForm. Both enterprises and sites can have accesses, such as
leased lines. As a result, umcAccessServiceProfiles are subordinates of enterprises
and sites, which are controlled by structure rule
Sr32—umcAccessServiceProfileNameForm. Structure rule Sr7 allows the creation of
SSP service profiles underneath any umcEnterprise, umcSite, and
umcAccessServiceProfile object. In addition, any umcSubscriber for enterprise
services (that is, umcEnterprise, umcSite, and umcAccessServiceProfile) is allowed to
subscribe to RADIUS services. The creation of the umcRadiusPerson objects, which
is the result of those subscriptions, is governed by structure rule
Sr8—umcRadiusPersonNameForm. Enterprise operators are users (represented by
the object class person) who are allowed to manage some aspects of enterprise
services (SSPServiceProfiles) according to their access rights. These operators are
grouped into operator groups (groupOfUniqueName objects). Structure rule
Sr2—personNameForm— and structure rule
Sr38—groupOfUniqueNameForm—govern this feature.
Figure 1 depicts a possible structure in the subscriber subtree.
26 ! Structure Rules
Chapter 3: Mapping Object Model to LDAP Schema
Figure 1: DIT Structure in the Subscriber Subtree
root
root
o=UMC
o=UMC
Folder for Subscribers Administrator
o=Users cn=umcAdmin
Retailers
retailerName=Retailer x
Outsourcing-Service
Profile
serviceName=Outsorcing via PTA
2nd Level Folders
ou=Location x
residential users
uniqueId=User X
residential users
uniqueId=User Y
RADIUS Profile
serviceName=ISP x Access
RADIUS Profile
SSP-Service Profile serviceName=ISP x Access
serviceName=SSP Service X
SSP-Service Profile
serviceName=SSP Service U
enterprise users
enterpriseName=Ent X
Operators
cn=Ent Mgr X
RADIUS Profile
serviceName=BBAccess
SSP-Service Profile
serviceName=SSP Service Y
Operator-Group
Access-Service Profile cn=Ent Mgr Grp X
accessName=Access X
Operators
cn=Access Mgr X
SSP-Service Profile
serviceName=SSP Service Z
Operator-Group
cn=Acc Mgr Grp X
Sites
siteName=Site X
Operators
cn=Site Mgr X
SSP-Service Profile
serviceName=SSP Service W
Operator-Group
cn=Site Mgr Grp X
Access-Service Profile
accessName=Access X
Operators
cn=Access Mgr X
SSP-Service Profile
serviceName=SSP Service V
Operator-Group
cn=Acc Mgr Grp X
Structure Rules ! 27
SDX 6.0.x Integration Guide
All the umcServices objects, which include umcAccessService, sspService,
umcRadiusService, umcOutsourceService, and umcMutexGroup objects, containing
mutually exclusive sspservices are organized underneath the o=Services,o=umc
object, which was created by applying structural rule Sr3. Structure rules Sr11, Sr12,
Sr21, Sr24, and Sr15 govern the creation of these objects.
The scopes subtree contains locality objects governed by structure rule
Sr22—localityNameForm. These objects represent scopes that have an association
with virtual routers. Structure rule Sr12—sspServiceNameForm allows the creation of
sspService objects as subordinates of those scope objects.
The network elements, represented by dlm1Chassis objects, are kept directly below
the network subtree o=Network,o=umc due to structure rule
Sr9—chassisNameForm. Virtual routers are placed underneath these network
elements by applying structure rule Sr10—umcVirtualRouterNameForm.
Figure 2 depicts the structure in the services, scopes, and network subtrees.
Figure 2: DIT Structure in the Services, Scopes, and Network Subtrees
root
o=UMC
Folder for Services Folder for Scopes Folder for Network
o=Services o=Scopes o=Network
SSP-Service Chassis
serviceName=SSP Service X ordererCimKeys=ERX x
RADIUS Service virtual Routers
serviceName=ISP x Access virtualRouterName=default
Outsourcing Service Scopes
serviceName=Outsorcing via PTA l=Scope X
Access Service SSP-Service
serviceName=Access X serviceName=SSP Service X
Mutually Exclusive Group
mutexName=Group X
The cached authentication profiles can also be added as children of the object
o=AuthCache,o=umc, which is created by Sr3.
28 ! Structure Rules
Chapter 3: Mapping Object Model to LDAP Schema
Besides the second-level folders governed by structure rule Sr4, many folders
represented by the organizationalUnit object can be created by applying structure
rule Sr19—organizationalUnitNameForm. Any of those folders, as well as the entry
o=Policies,o=umc, are called policyFolder. Each policyFolder can contain a policy
group, which is represented by the policyGroup object, controlled by structure rule
Sr23—policyGroupNameForm. Policy groups contain policy lists that have policy
rules as subordinates. Structure rules Sr27—policyListNameForm—and
Sr28—policyRuleNameForm—allow the creation of those objects.
Global parameters are stored in umcGlobalParameter objects, which are
subordinates of the o=Parameters,o=Users entry. Structure rule
Sr33—umcGlobalParameterNameForm—allows the creation of those objects.
The SAE caches user profiles and authentications by writing objects from type
cachedAuthenticationProfile into the directory where the user profiles are placed into
the folder o=UserProfileCache. The authentications are stored underneath
o=AuthCache,o=umc. Structure rule Sr13— cachedAuthProfileNameForm—controls
the addition of those objects under the first-level folder.
Structure Rules ! 29
SDX 6.0.x Integration Guide
Figure 3 depicts the subtrees for policies, parameters, and cache profiles.
Figure 3: DIT Structure for Policies, Parameters, and Cache Profiles
root
o=UMC
Folder for Policies Folder for Scopes Folder for cached Auth. Folder for cached User Profiles.
o=Policies o=Parameters o=AuthCache o=UserProfileCache
Policy Group Global Parameter cached User
policyGroupName=Pol X cn=Param X macAddress=00:00:00:00:00
Policy List
policyListName=Ingress
cached Authentication
macAddress=00:00:00:00:00
Policy Rule
policyRuleName=Rule X
Policy Folder
ou=Folder X
Policy Group
policyGroupName=Pol Y
Policy List
policyListName=Ingress
Policy Rule
policyRuleName=Rule Y
Policy Folder
ou=Folder Y
The workflow and state-machine entries exist in the folder o=Workflow,o=umc.
They are governed by structure rules Sr16—umcWorkFlowNameForm—and
Sr17—umcStateNameForm.
Transaction locks are stored in the o=Locks,o=umc folder and are governed by
structure rule Sr37—umcTransactionLockNameForm. The object state machine
component can lock objects from type umcSubscriber, umcRetailer, and
umcServiceProfile during the transaction state of those objects by creating entries
that are subordinates of the transaction lock entry. These are residential users,
retailers, enterprise users, users, sites, accesses, RADIUS profiles, outsourced service
profiles, and SSP service profiles. Structure rules Sr5, Sr6, Sr7, Sr8, Sr25, Sr30, Sr31
and Sr32 allow these additions.
30 ! Structure Rules
Chapter 3: Mapping Object Model to LDAP Schema
Figure 4 depicts the workflow and locked objects subtrees.
Figure 4: DIT Structure in the Workflows and Locked Objects Subtrees
root
o=UMC
Folder for Workflows/State-mashines Folder for locked objects
o=Workflows o=Locks
Transaction Lock
Workflows lockName=Lock x
workflowName=WF x
SSP-Service Profile
serviceName=SSP Service X
State-Machines
stateMachineName=SM x
RADIUS Profile
serviceName=BB Access
Outsourcing-Service
Profile
serviceName=Outsorcing via PTA
Access-Service Profile
accessName=Access X
residential users
uniqueId=User X
enterprise users
enterpriseName=Ent X
Sites
siteName=Site X
Retailers
retailerName=Retailer x
All management and configuration objects are created underneath
o=Management,o=umc. This folder is organized by up to four layers of
organizationalUnit objects by applying structure rules Sr4 and Sr19. Licenses are
stored underneath ou=Licenses,o=Management,o=umc by applying structure rule
Sr26—umcLicenseNameForm. The configuration objects are placed as children of
objects ou=,ou=configuration, o=Management,o=umc,
where specifies a UMC application such as SAE, POM, and
others. Structure rule Sr20— umcConfigurationNameForm—governs this structure.
Structure Rules ! 31
SDX 6.0.x Integration Guide
The SAE writes its administration URL into the folder ou=sspadminurl,
o=servers,o=umc during startup and deletes it during shutdown. Structure rule
Sr39—umcUrlNameForm—allows the addition of that kind of entry.
All operators, operator groups, and SDX components are stored in the operators’
subtree. Structure rule Sr2 takes care of the creation of operators and components,
whereas structure rule Sr38—groupOfUniqueNameForm—allows the creation of
groups.
Figure 5 depicts the management, servers, and operators subtrees.
Figure 5: DIT Structure in the Management, Servers, and Operators’ Subtrees
root
o=UMC
Folder for Mangement/Configuration Folder for Operators and components Folder for Servers
o=Management o=Operators o=Servers
2nd Level Folder Operators 2nd Level Folder
ou=License cn=Operator X ou=sspadmurls
License Operator Group umcUrl
cn=host X cn=Group X umcHost=host X
2nd Level Folder
ou=Configuration 2nd Level Folder
ou=Components
3rd Level Folder SSC-Component
ou=SSP cn=RADIUS
Configuration
l=PoP X
3rd Level Folder
ou=System Management
4th Level Folder
ou=Components
Component
dlmName=Comp X
Component
dlmName=Comp Y
4th Level Folder
ou=Traps
Traps
trapName=Trap X
32 ! Structure Rules
Chapter 3: Mapping Object Model to LDAP Schema
Content Rules
A DIT content rule is a comprehensive way of defining precisely what attributes can
be in an entry, without having to either register new object class definitions and
their associated object identifiers, or let anarchy reign through the unregistered
object class mechanism.
A DIT content rule specifies the following entries of a particular structural object
class:
! Additional mandatory attributes that the entries must contain
! Additional optional attributes that the entry may contain
! Set of additional auxiliary object classes that these entries can be members of
! Any optional attributes from the structural and auxiliary object class definitions
that the entries must not contain
A DIT content rule is the overriding subschema element that actually controls which
attributes can appear in an entry.
In the sections the purpose of attaching auxiliary classes to structural object classes
is explained.
The SDX component detects any kind of subscribers (that is, residential and
enterprise) by querying the directory against the key objectClass=umcSubscriber.
The objects from the types umcUser, umcEnterprise, umcSite, and
umcAccessServiceProfile must include umcSubscriber as an additional objectClass
value. This is done by attaching the auxiliary class umcSubscriber to those objects.
The DIT content rules Cr10 to Cr13 allow this attachment.
With the introduction of policy parameterization, the operator has the ability to
provide symbolic names in place of literal values when defining policies. These
symbolic names are bound to values at run time before the policies are downloaded
to the router. The parameter values are collected from different objects. These
objects are actual entries in the directory where the parameters get associated with
the entries by attaching the auxiliary class parameterAuxClass. The following are the
type of objects where parameters can be used: dlm1Chassis, policyGroup, sspService,
sspServiceProfile, locality, umcUser, umcSite, umcEnterprise, and
umcAccessServiceProfile. The DIT content rules Cr1 and Cr6 through Cr13 permit
the attachment of the parameter attributes that are defined in the class
parameterAuxClass.
The SDX component DES marks entries from special types as deleted without
actually deleting that object, should any DES client perform a deletion operation.
The auxiliary class umcDeletionAuxClass with its Boolean attribute deleted is
available for the object classes organizationalUnit, policyGroup, sspServiceProfile,
umcUser, umcSite, umcEnterprise, umcAccessServiceProfile, umcRadiusPerson,
umcRetailer, umcGlobalParameter, umcComponent, umcTrap and umcUrl. The DIT
content rules Cr4, Cr6, Cr8, Cr10, Cr11, Cr12, Cr13, Cr14, Cr15, Cr17, Cr18, Cr19,
and Cr20 permit the attachment of the auxiliary class umcDeletionAuxClass.
Content Rules ! 33
SDX 6.0.x Integration Guide
The OSM locks specific objects during transactions. This is accomplished by
attaching the auxiliary object class transactionalObjectAuxClass to all classes
inherited from the abstract class umcServiceProfile. All classes can be associated
with the auxiliary object class umcSubscriber and umcRetailer objects. The DIT
content rules Cr10 through Cr16 allow this kind of operation.
Information about policy conditions and policy actions is stored in attributes that
belong to auxiliary classes that represent the supported actions and conditions. The
auxiliary classes must be attached to policy rules. The DIT content rule Cr5 allows
these kind of attachments. Policies are organized in a specific kind of folder. As a
result, objects from type organization and organizationalUnit can be marked as a
policyFolder object by attaching the appropriate auxiliary class. See Cr3 and Cr4.
Operators might like to store additional information not provided by the classes
organization and organizationalUnit in those types of entries. This is accomplished
by attaching the auxiliary class moreInformationAuxClass, which is permitted by Cr3
and Cr4.
DIT content rule Cr2 allows adding SNMP information to virtual routers, as well as
associating virtual routers with specific service scopes, by attaching the auxiliary
classes dlm1PhysicalElementLocationAuxClass and snmpInfoAuxClass to the
structural class umcVirtualRouter.
Interface classifications are attached to objects representing router devices. Cr1
allows attaching the class umcClassificationProfile to dlm1Chassis in addition to the
previously mentioned attachment of parameter classes.
Content Rules Table
A table of content rules is provided in HTML format. This hyperlinked table is
located in the subdirectory contentRules located on your SDX software CD in the
directory folder SDK/doc/ldap. The table provides the content rule ID, the content
rule for structural object class, the auxiliary class, and a description of each content
rule.
Name Forms
Name forms are used to define the structure rules (see Content Rules on page 33).
Name forms state which attribute types must be used in forming the RDNs of
entries.
An alphabetical list of name forms is provided in HTML format in the subdirectory
nameForms which is located on your SDX software CD in the directory
SDK/doc/ldap.
34 ! Name Forms
Chapter 4
Integrating Sun ONE Directory Server
Sun ONE Directory Server is a software product by Sun Microsystems, Inc. that
provides a central repository for storing and managing identity profiles, access
privileges, and application and network resource information.
Use the information in this chapter to integrate Sun ONE Directory Server with
Juniper Networks routers and the SDX software. Refer to the SDX release notes for
information about compatibility of this SDX release with Sun ONE Directory Server
releases.
This chapter contains the following sections:
! Overview on page 35
! Sun ONE Directory Server Tasks on page 37
! Obtaining the Sun ONE Directory Server Software on page 38
! Installing the UMCiDSa Add-On Package on page 38
! Configuring Sun ONE Directory Server Instance on page 39
! Starting, Stopping, and Restarting Sun ONE Directory Server on page 40
Overview
You can easily integrate the Sun ONE Directory Server product with the SDX
software. Sun ONE Directory Server is based on industry-standard LDAP and
provides advanced security features, carrier-grade scalability, performance, and
availability. Sun ONE acts as a central repository for the consolidation of user
profiles.
You can use the information stored in Sun ONE Directory Server for the
authentication and authorization of users to enable secure access to enterprise and
Internet services. Sun ONE helps to ensure that appropriate access control policies
are enforced across all communities, applications, and services on a global basis.
NOTE: Sun ONE Directory Server was formerly called iPlanet Directory Server.
Overview ! 35
SDX 6.0.x Integration Guide
About the Sun ONE Add-On Package
The Sun ONE Directory Server add-on package for the SDX software is called
UMCiDSa. Read the following sections to better understand the features included in
the add-on package.
LDAP Directory Instance
Sun ONE’s silent installation feature allows Sun ONE software to embed with the
SDX software. There is no user intervention required during the setup process.
The UMCiDSa package contains a silent installation file, sdx.inf. This file integrates
with Sun ONE’s silent installation feature. Table 4 describes important setup script
information, which is contained in the sdx.inf file.
Table 4: Information Needed for Sun ONE Setup Script
Software Name Description
/opt/UMC/iDS Installation path
admin Directory configuration admin (Sun ONE entity)
admin Password for directory configuration admin
389 LDAP port to be used for directory instance
sdx Server identifier (Sun ONE specific). The directory
instance is installed in the path:
/op/UMC/iDS/slapd-sdx
o=umc Suffix for new LDAP directory instance
cn=umcAdmin,o=umc Identifier for Super-administrator
admin123 Password for Super-administrator
6666 Admin-port
uid-uniqueness Plug-in
The uid-uniqueness plug-in is not enabled within the initial configuration of the Sun
ONE Directory Server software. Because the SDX software does not require a global
uniqueness of the uid, this feature should remain disabled.
Password Storage Scheme
The SDX software’s RADIUS component (UMCradius) requires that the passwords
be stored as clear text. Sun ONE Directory Server stores the password in an
encrypted manner; therefore, the password storage scheme is reconfigured by the
load script, which allows the passwords to be stored in clear text. The password
storage scheme configuration is part of the load script.
Schema Extension
The SDX software’s schema requirements are contained in an LDIF file within the
UMCiDSa package. The schema file 99umcschema.ldif is used for Sun ONE. This file
is copied automatically within the load script and placed into the schema
subdirectory of the directory instance.
36 ! Overview
Chapter 4: Integrating Sun ONE Directory Server
Database Settings
You can modify the index configuration of attributes by adding new entries into the
Sun ONE Directory Server database. The index configuration is performed within
the load script.
SDX Skeleton
The Sun ONE Directory Server add-on package includes an LDIF file with the
necessary directory entry infrastructure. The LDIF file is loaded by the ldapmodify
tool as part of the load script.
Access Control
Sun One Directory Server stores the access control information in the aci attribute,
which is available for all directory entries. All the required access control
information can be loaded by the ldapmodify tool, which processes an LDIF file.The
UMCiDSa package contains the LDIF file access.ldif. This file is processed within the
load script.
Loading Sample Database
When you run the load script, you will get a prompt asking you whether sample
data should be loaded into the directory.
Sun ONE Directory Server Tasks
You must complete the following tasks to integrate the Sun ONE Directory Server
software with the SDX software:
1. Install Solaris 8 or higher operating system and patches. Follow Solaris 8
installation instructions.
2. Obtain the Sun ONE Directory Server software. See Obtaining the Sun ONE
Directory Server Software on page 38.
3. Install SDX software. See the SDX Software Basics Guide, Chapter 5, Installing the
SDX-300 Software.
4. Install the Sun ONE Directory Server add-on package. See Installing the
UMCiDSa Add-On Package on page 38.
5. Configure the Sun ONE Directory instance. See Configuring Sun ONE Directory
Server Instance on page 39.
Sun ONE Directory Server Tasks ! 37
SDX 6.0.x Integration Guide
Obtaining the Sun ONE Directory Server Software
Before you can integrate the Sun ONE Directory Server software with the SDX
software, you must have access to the Sun ONE Directory Server 5.1 Service Pack 2
software. The Sun ONE Directory Server Service Pack 2 software is not included
with your SDX software.
Obtain the software by downloading the Sun ONE Directory Server 5.1 Service Pack
2 software from the Sun Microsystems Web site. Go to:
http://www.sun.com/software/download/products/3e5beea5.htmll
Installing the UMCiDSa Add-On Package
The UMCiDSa add-on package will be installed in the directory /opt/UMC/conf/iDS.
To install the UMCiDSa add-on package:
1. Log in as root.
2. Start the swmtool and select the UMCiDSa package from the list.
38 ! Obtaining the Sun ONE Directory Server Software
Chapter 4: Integrating Sun ONE Directory Server
3. Click Add.
The following window appears.
4. In response to the question, enter:
y
The package is installed in the directory /opt/UMC/conf/iDS.
Configuring Sun ONE Directory Server Instance
A new Sun ONE Directory instance must be created to integrate the Sun ONE
Directory Server software with the SDX software. You will need to access the Sun
Microsystems Web site to download the software.
To configure Sun ONE Directory Server instance:
1. Download the product binaries from this location:
http://www.sun.com/software/download/products/3e5beea5.html
2. Unpack the binary files by executing the command:
gzip -dc .tar.gz | tr -xvof-
NOTE: corresponds to the product binaries that you want to unpack.
It is assumed that you saved the downloaded file into the directory /tmp/DS.
3. Change the directory path to the same directory to which you untarred the
installation files.
For example:
cd/tmp/DS
4. Execute the command:
./setup -s -f /opt/UMC/conf/iDS/sdx.inf
Configuring Sun ONE Directory Server Instance ! 39
SDX 6.0.x Integration Guide
5. Change the directory path to:
/opt/UMC/conf/iDS
6. Execute this command to run the load script:
./load
After the schema is changed, the skeleton is loaded, and the access controls are
created, the script prompts you to load the sample data. For example:
Sun ONE Directory Server can now be used by any SDX component.
Starting, Stopping, and Restarting Sun ONE Directory Server
Use the commands in this section to start, stop, and restart activities with Sun ONE
Directory Server.
! To start Sun ONE Directory Server:
cd /opt/UMC/conf/iDS
./ldap start
! To stop Sun ONE Directory Server:
cd /opt/UMC/conf/iDS
./ldap stop
! To restart Sun ONE Directory Server:
cd /opt/UMC/conf/iDS
./ldap restart
40 ! Starting, Stopping, and Restarting Sun ONE Directory Server
Chapter 5
Integrating the DirX Directory Server
DirX Solutions is a product family by Siemens that provides a central repository for
storing, managing, and distributing identity profiles, access privileges, and
application and network resource information. DirX Solutions contains the software
products DirX 6.0 directory server and DirXmetahub 6.0 (the DirX meta engine).
Use the information in this chapter to integrate DirX with Juniper Networks routers
and the SDX software. Refer to the SDX release notes for information about
compatibility of this SDX release with DirX releases.
This chapter contains the following sections:
! Overview on page 41
! Obtaining the DirX Directory Server Software on page 43
! Preparing to Install the DirX Directory Server on page 43
! Installing the DirX Directory Server on page 44
! Installing the UMCdirxa Add-On Package on page 45
! Configuring the DirX Directory Server on page 46
! Uninstalling DirX Directory Server on page 46
! Starting and Stopping the DirX Directory Server on page 47
Overview
You can easily integrate the DirX directory server with the SDX software. The DirX
directory server is based on LDAPv3, DSMLv2, and X.500 directory server
standards. You can use DirX to set up a distributed, replicated directory service and
to manage data in directories. DirX provides an identity management system to
store information about people, organizations, applications, network devices, and
other distributed services.
Working with the DirX directory server, DixXmetahub cuts down the time and effort
that are needed to operate multiple directories simultaneously.
Overview ! 41
SDX 6.0.x Integration Guide
About the DirX Add-On Package
The DirX directory server add-on package for the SDX software is called UMCdirxa.
Read the following sections to better understand the features included in the add-on
package.
NOTE: The default base directory for installation is /opt/dirx. We recommend that
you install the DirX software in the home directory of the DirX user. Create a user
account, such as dirx, and install the DirX software package in the home directory
/export/home/dirx.
NOTE: The directory and log files are created in subdirectories of the installation
directory. Before you start the installation, verify that you have sufficient disk
space available in the installation directory.
LDAP Directory Instance
The LDAP directory instance is created by executing the generate.sh script. The SDX
software requires a specific configuration, which is contained in the variables.tcl file.
Therefore, the configuration does not require any user intervention. Table 5
describes important generate-script information, which is contained in the
variables.tcl file.
Table 5: Information Needed for DirX Generate Script
Software Name Description
389 LDAP port to be used for directory instance
/o=umc Suffix for new LDAP directory instance
/o=umc/cn=umcAdmin Identifier for super-administrator
admin123 Password for super-administrator
Schema Extension and Database Settings
The SDX software’s schema requirements and the index configuration of attributes
are contained in a flat file within the UMCdirxa package. The schema file
schema.adm is processed by the DirX administration tool dirxadm as part of the
generate script.
Directory Tree Structure
The DirX directory server requires that the exact structure of the directory tree be
defined. The UMCdirxa package contains the flat file initialize.cp, which is processed
by the DirX client dirxcp as part of the generation process of the directory.
Access Control
DirX stores the access control information in subentries. The UMCdirxa package
contains the flat file access.cp. The DirX client dirxcp processes the access.cp file as
part of the generate.sh script.
42 ! Overview
Chapter 5: Integrating the DirX Directory Server
SDX Skeleton
The DirX directory server add-on package includes an LDIF file with the necessary
directory entry infrastructure. The LDIF file is loaded by the ldapmodify tool as part
of the load script.
Loading Sample Database
When you load the script, you will get a prompt asking you whether a sample
database should be loaded on top of the directory infrastructure.
Obtaining the DirX Directory Server Software
You can obtain the DirX Solutions software package by contacting your local
Siemens sales representative. For immediate information, go to:
http://www.siemens.com/directory
You can also e-mail Siemens at:
directory@icn.siemens.de
Preparing to Install the DirX Directory Server
Only root users can install the DirX directory server software. To prepare for
installation:
1. Log in as root.
2. Load the Siemens DirX Solutions software CD and access the CD directory. For
example:
cd /cdrom/cdrom0
Creating a New Directory User
You must create a directory user called dirx. Once the software is installed, the dirx
user can manage the DirX software.
To create a new user and prepare the host for the DirX software:
1. From a UNIX window, start the Solaris Admintool:
admintool &
The Admintool: Users window appears.
2. Select Edit and then click Add.
The Admintool: Add User dialog box appears.
3. In the User Name field, enter:
dirx
Obtaining the DirX Directory Server Software ! 43
SDX 6.0.x Integration Guide
4. In the Set Path field, enter:
/export/home/dirx
5. Click OK.
The window closes and the main Admintool:Users window appears with the
information you just entered.
6. Set the password. For example:
passwd dirx
7. Enter and confirm the password when prompted by the Admintool.
Installing the DirX Directory Server
To install the DirX directory server software:
1. Log in as superuser.
2. Install DirX with the pkgadd tool. For example:
pkgadd -d /cdrom/cdrom0/server/dirx/sun/dirx60*
NOTE: On Sun platforms, the CD-ROM will start automatically.
3. Respond to the prompts listed in Table 6.
Table 6: Prompts for Installation of DirX-SV Server Package
Prompt Response
Where should the package DirX-SV be installed? 1 = home directory
2 = /opt/dirx
NOTE: Select 1.
Please enter the login name of an existing user. dirx
Do you want to install these as setuid.setgid files? y
Do you want to continue with the installation of ? y
44 ! Installing the DirX Directory Server
Chapter 5: Integrating the DirX Directory Server
Installing the UMCdirxa Add-On Package
The DirX add-on package will be installed in a subdirectory called customize in the
dirx user home directory /export/home/dirx.
To install the UMCdirxa add-on package:
1. Place the SDX Distribution Software CD into the CD-ROM drive.
The SUN Solaris directs the software CD automatically to /cdrom/cdrom0.
2. Log in as superuser.
3. Install the UMCdirxa package with the pkgadd tool. For example:
pkgadd -d /cdrom/cdrom0/SDX/solaris/.
For more information about using pkgadd, see SDX Software Basics Guide,
Chapter 5, Integrating the DirX Directory Server.
The package is installed in the directory export/home/dirx/customize.
Installing the UMCdirxa Add-On Package ! 45
SDX 6.0.x Integration Guide
Configuring the DirX Directory Server
The installation of the DirX add-on package places all required integration files into
a subdirectory called customize. This subdirectory is located in the installation
directory of the DirX directory server software.
To configure the DirX directory server:
1. On the UNIX host, log in as dirx and enter the following commands:
su - dirx
cd customize
sh ./generate.sh
2. At the system prompt “Do you want to load sample data? [n]”, enter y for yes.
The generate.sh scripts generate the log.txt log file, which should be edited. If
the generation fails, the system returns a FAILED message.
The script takes a few minutes to create, initialize, and configure the database
and start the server processes.
NOTE: To verify that the integration was successful, open log.txt file with an editor,
such as vi, and search for FAILED. If the search is not successful, the integration
was successful.
3. To verify that the DirX directory server processes are running, enter:
ps -ef | grep dirx
The system should display three processes, as shown in the following sample
screen output:
root 20263 20260 0 Feb 11 ? 5:40 /export/home/dirx/bin/dirxldapv3
dirx 20261 20260 0 Feb 11 ?26:26 /export/home/dirx/bin/dirxdsa -d
/export/home/dirx/server/DB
dirx 20260 143 0 Feb 11 ?0:00 /export/home/dirx/bin/dirxdsas -d
/export/home/dirx
Wait for the output of all three processes to appear. The DirX LDAPv3 daemon
process takes longer than the other two.
Uninstalling DirX Directory Server
To uninstall DirX:
1. On the UNIX host, log in as root.
2. Stop the DirX directory server. For example:
/etc/init.d/dirx stop
46 ! Configuring the DirX Directory Server
Chapter 5: Integrating the DirX Directory Server
3. From a UNIX window, launch the Solaris software management tool.
swmtool
The Admintool: Software window appears.
4. Select the installed DirX directory server packages.
5. Select Edit and click Delete.
A status dialog box prompts you to confirm that you want to delete the
packages.
6. Click Delete.
Starting and Stopping the DirX Directory Server
There are two ways that you can start and stop the DirX directory server. You can
perform the operations within the context of either a dirx user environment or a
superuser environment.
NOTE: Refer to the Siemens DirX directory server documentation for operating
details.
dirx user Environment
To start, stop, or restart DirX within a dirx user environment:
1. Log in as a dirx user:
login dirx
2. Change the directory to the customize directory:
cd customize
3. Start DirX by entering the command:
dirxadm -c start
4. Stop DirX by entering the command:
dirxadm shutdown.tcl
5. Restart DirX by performing Steps 3 and 4.
Starting and Stopping the DirX Directory Server ! 47
SDX 6.0.x Integration Guide
Superuser Environment
To start or stop DirX within a superuser environment:
1. Log in as root.
2. Start the DirX directory server:
/etc/init.d/dirx start
NOTE: The start process takes approximately 30 seconds.
3. Stop the DirX directory server:
/etc/init.d/dirx stop
48 ! Starting and Stopping the DirX Directory Server
Chapter 6
Data Integration
This chapter describes how developers can create data integrators that read data
from a service provider’s storage medium, and write the data in a format that
complies with the SDX LDAP schema to a directory. The chapter contains the
following sections:
! Overview on page 49
! Getting Help with Data Integration on page 51
! Installing the Data Integration Suite on page 52
! Planning Data Integration on page 52
! Developing Data Integrators on page 52
! Configuring Data Integrators on page 53
! Executing Data Integration on page 58
! Examples of Data Integrators on page 59
Overview
The SDX software uses data that complies with the SDX LDAP schema and that is
stored in one of the supported directories. Service providers, however, may store
data that they want to use for the SDX software in another storage medium, such as
a database. You can develop data integrators that read your data from a storage
medium, and write the data to a directory for use with the SDX software. A typical
use of a data integrator is to read information about VPNs from your company’s
proprietary database and to write the data to a directory for use with the SDX
software.
Overview ! 49
SDX 6.0.x Integration Guide
The data integration suite comprises a set of processors that perform different data
management tasks. You can use combinations of these processors to achieve the
data integration that you require. The processors use XML documents to perform
the data transfer. There are three types of processors:
! Readers, which read data from a storage medium and write the data to an XML
document.
! XSLT transformers, which convert an XML document into a different XML
document that another processor can use.
! Writers, which read data from an XML document in memory and write data to
a storage medium.
Table 7 lists the processors, their functions, and associated DTDs. You can see the
associated DTDs on the SDX software CD in SDK\dtd\dataint.
Table 7: Processors for Data Managers
Processor Function Associated DTDs
Database Reader Reads data from a database and writes the data to This processor does not have an associated DTD.
an XML document. Instead, it uses a DTD scheme with tags that
correspond to the attribute names in the SQL
queries that you write.
LDAP Reader Reads data from an LDAP-compliant directory and This processor uses two DTDs:
writes the data to an XML document. ! The input DTD, LDAPReader_input.dtd,
describes a query to a directory.
! The output DTD, LDAPReader_output.dtd
describes the result of a query to the directory.
XML File Reader Reads data from an XML document and passes None
the data to the next processor.
Enterprise Audit File Reads data from the EASP audit plug-in log and This processor uses the DTD
Reader writes the data to an XML document with a DTD EntAuditFileReader_output.dtd, which describes a
specific to the enterprise audit plug-in log. the result of a query to an enterprise audit log.
XML File Writer Reads data from an XML document, writes the None
data to an external XML document, and returns
the original XML document. Use this processor to
create external XML documents of data either for
record-keeping purposes or for troubleshooting
the data integration.
XSLT Translator XSLT Translator takes the XML document it None
receives from the preceding processor and writes
it to an XML document that another processor can
read. For this processor, you must customize an
XSLT file that maps the input XML document to
the output XML document.
LDAP Writer Reads data from an XML document and writes the This processor uses the DTD
data to an LDAP directory. LDAPWriter_input.dtd, which describes a set of
directory updates.
50 ! Overview
Chapter 6: Data Integration
Figure 6 illustrates how you can use a combination of the processors to transfer
data from your database to a directory that contains SDX data. For more detailed
examples, see Examples of Data Integrators on page 59.
Figure 6: Transferring Data from a Database to the SDX Directory
Customer
database
Get
data
read
DB reader
write
XML
document
Create records
for archiving and
troubleshooting
read
External read
XML XML file writer
document
write
XML
document
read
XSLT translator Convert
data
write
XML
document
read
LDAP writer
write
Save
data
g015249
SDX
directory
Getting Help with Data Integration
Planning data integration and developing data integrators are tasks that should be
undertaken by developers with knowledge of XML, XSLT, databases, and directories.
For assistance with these tasks, consult Juniper Networks Professional Services.
Getting Help with Data Integration ! 51
SDX 6.0.x Integration Guide
Installing the Data Integration Suite
For information about installing the data integration suite, see SDX Software Basics
Guide, Chapter 5, Installing the SDX-300 Software. After you have installed the data
integration package, copy the Java Database Connectivity (JDBC) drivers for any
databases from which you will extract data to the folder opt/UMC/datint/lib/.
Planning Data Integration
Before you develop data integrators, you should create a plan for the data
integration. To do so:
1. Determine the data that you want to transfer, the sources of the data, and the
type of transfer you want to perform.
For example, you might want to transfer data about subscribers, networks, and
VPNs from your database to the SDX directory. You might also want to create
XML documents of the original data that you can use for troubleshooting as you
create the data manager.
2. Determine how to divide the transfer process into smaller data transfers that
limit the size of the query result and minimize the time that the LDAP Writer
spends interacting with the directory.
For example, you might create three data integrators, each of which manages
data for one of the following areas:
! Subscribers
! Network
! VPNs
3. Identify the processors that you need to perform the data transfer, and the
properties that you will use for each processor.
For a detailed description of each processor and its properties, see the online
documentation on the SDX software CD in SDK/doc/datint.
Developing Data Integrators
To develop a data integrator:
1. For each XSLT transformer that you use, create an XSLT file that maps the
structure of the input XML document to an output XML document that the next
processor in the chain can read.
You can view examples of XSLT files in the folder /opt/UMC/datint/xslt. For more
information about these examples, see Examples of Data Integrators on page 59.
2. If you are using the Database Reader processor, write an SQL query that the
processor uses to obtain information from the database.
52 ! Installing the Data Integration Suite
Chapter 6: Data Integration
3. Create a property file that defines the properties for the data integrator (see
Configuring Data Integrators on page 53).
4. Create a script that calls the data integrator
5. (Optional) Configure a utility, such as a crontab file, to run this script at a
defined time.
The script or crontab file can run the data integrator either once with a single
property file or multiple times with different property files. For an example of a
script that calls a data integrator, see the file vpndatamgt in /opt/UMC/datint/etc.
Configuring Data Integrators
To configure a data integrator, you must create a property file that contains specific
properties for the overall data transfer and for the individual data processors. When
you create a property file, you must:
1. Define logging properties (see Defining Logging Properties on page 53).
2. Define properties for the individual processors (see Defining Properties for the
Individual Processors on page 53).
3. Define the order in which the processors are called (see Defining the Order of
Processors on page 58).
Defining Logging Properties
You define logging properties by using the standard property names and values for
SDX logging. Define the logging properties by using the following format:
Logger..=
! —Name of group for this log
! —Name of property
! —Value of property
For detailed information about configuring SDX logging properties, see SDX
Components Guide, Vol. 1, Chapter 11, Configuring Logging.
Defining Properties for the Individual Processors
The properties that you must or can configure depend on the particular processor.
You define properties by using the following format:
Processor..=
! —Name of processor that you define; each processor in a
property file must have a unique name
! —Name of property; may comprise several text strings
separated by dots
! —Value of property
Configuring Data Integrators ! 53
SDX 6.0.x Integration Guide
The following sections describe how to define properties for each processor. For
detailed information about each processor, see the online documentation on the
SDX software CD in SDK/doc/dataint.
Database Reader
You must define the following properties for this processor:
! Class of the processor
! Data that you want to read from the database
Processor.dbreader.dbQuery=SELECT
! —SQL query that summarizes and processes data from the
database
! Class of the JDBC driver
Processor.dbreader.driverClass=
! —Class of JDBC driver
! URL of the database
Processor.dbreader.dbURL=
! —URL of the database
! Username and password for logging into the database
Processor.dbreader.user=
Processor.dbreader.password=
! —Username that the database uses to authenticate the
processor
! —Password that the database uses to authenticate the
processor
! Output format, Document Object Model (DOM) for the query result
Processor.dbreader.out=dom
! Inclusion of data in the XML document that the processor returns
Processor.dbreader.genData=true
You can also define optional properties about the database from which this
processor reads data. For information about optional properties for this processor,
see the online documentation on the SDX software CD in SDK/doc/datint.
54 ! Configuring Data Integrators
Chapter 6: Data Integration
Example
# Database Reader
Processor.dbreader.class=net.juniper.smgt.ent.datamgt.reader.DBReader
Processor.dbreader.driverClass=org.gjt.mm.mysql.Driver
Processor.dbreader.dbURL=jdbc:mysql://127.0.0.1:3306/vpn
Processor.dbreader.user=admin
Processor.dbreader.password=secret
Processor.dbreader.genData=true
Processor.dbreader.out=dom
# The SQL query
Processor.dbreader.dbQuery=SELECT vpn_ownership.vpn_id,
vpn_ownership.vpn_owner,vpn_sites.router_name,vpn_sites.interface_nameFROM
vpn_ownership, vpn_sites where vpn_ownership.vpn_id=vpn_sites.vpn_id
# XML element names
Processor.dbreader.elname.database=database
#Processor.dbreader.elname.record=record
LDAP Reader
This processor obtains the query it performs as an XML document from the
previous processor in the chain, and you do not need to define the query. You must,
however, define the following properties for this processor:
! Name of the class of the processor
! DES properties in the format
Processor..=
! —Name of processor that you define; each processor
in the same property file must have a unique name
! —Name of the DES property
! —Value of the DES property
For information about DES properties and values, see SDX Components Guide,
Vol. 1, Chapter 12, Configuring the Directory Eventing System.
! Any optional properties that you require
For information about optional properties for this processor, see the online
documentation on the SDX software CD in SDK/doc/dataint.
Example
Processor.ldapreader.class=net.juniper.smgt.ent.datamgt.reader.LDAPReader
Processor.ldapreader.java.naming.provider.url = ldap://127.0.0.1/
Processor.ldapreader.java.naming.security.principal = cn=umcadmin,o=umc
Processor.ldapreader.java.naming.security.credentials = admin123
Processor.ldapreader.continuous=true
Processor.ldapreader.java.naming.provider.url = ldap://127.0.0.1/
Configuring Data Integrators ! 55
SDX 6.0.x Integration Guide
XML File Reader
You must define the following properties for this processor:
! Name of the class of the processor
! In the following format, the XML document from which this processor reads
data:
Processor..XMLFileName=
! —Name of processor that you define; each processor
in the same property file must have a unique name
! —Path to XML document relative to the folder /opt/UMC/datint
Example
Processor.xmlfilereader.class=net.juniper.smgt.ent.datamgt.reader.XMLFileReader
Processor.xmlfilereader.XMLFileName=var/log/dbout.xml
Enterprise Audit File Reader
You must define the following properties for this processor:
! Name of the class of the processor
! In the following format, the log file from which this processor reads data:
Processor..auditFileName=
! —Name of processor that you define; each processor
in the same property file must have a unique name
! —Path to XML document relative to the folder /opt/UMC/datint
! Any optional properties that you require
For information about optional properties for this processor, see the online
documentation on the SDX software CD in SDK/doc/dataint.
Example
Processor.auditfilereader.class=net.juniper.smgt.ent.datamgt.reader.EntAuditFileReader
Processor.auditfilereader.auditFileName=ent_audit.log
Processor.auditfilereader.filter=(Action=Unexport-VPN)
56 ! Configuring Data Integrators
Chapter 6: Data Integration
XML File Writer
You must define the following properties for this processor:
! Name of the class of the processor
! In the following format, the XML document to which the processor writes data:
Processor.xmlfilewriter.XMLFileName=
! —Path to XML document relative to the folder /opt/UMC/datint
Example
Processor.xmlfilewriter.class=net.juniper.smgt.ent.datamgt.filter.XMLFileWriter
Processor.xmlfilewriter.XMLFileName=var/log/ldapout.xml
XSLT Translator
You must define the following properties for this processor:
! Name of the class of the processor
! In the following format, the XSLT file that the processor uses
Processor..XSLTFileName=
! —Name of the XSLT translator
! —Path to XSLT file relative to the folder /opt/UMC/datint
Example
Processor.toabstract.class=net.juniper.smgt.ent.datamgt.filter.XSLTTranslator
Processor.toabstract.XSLTFileName=xslt/vpn.xslt
Configuring Data Integrators ! 57
SDX 6.0.x Integration Guide
LDAP Writer
You must define the following properties for this processor:
! Name of the class of the processor
! DES properties in the format
Processor.ldapwriter.=
! —Name of the DES property
! —Value of the DES property
For information about DES properties and values, see SDX Components Guide,
Vol. 1, Chapter 12, Configuring the Directory Eventing System.
! Any optional properties that you require
For information about optional properties for this processor, see the online
documentation on the SDX software CD in SDK/doc/dataint.
Example
Processor.ldapwriter.class=net.juniper.smgt.ent.datamgt.filter.LDAPWriter
Processor.ldapwriter.java.naming.provider.url = ldap://127.0.0.1/
Processor.ldapwriter.java.naming.security.principal = cn=umcadmin,o=umc
Processor.ldapwriter.java.naming.security.credentials = admin123
Processor.ldapwriter.updateRateLimit=3
Processor.ldapwriter.continuous=true
Defining the Order of Processors
To define the order in which the processors will be executed, enter one statement in
the following format:
Processor.chain=
For example:
Processor.chain=dbreader,toldap,xmlfilewriter,ldapwriter
Executing Data Integration
To execute data integration, run the script that calls the property files, or configure a
utility, such as a crontab file, to run this script at a defined time.
58 ! Executing Data Integration
Chapter 6: Data Integration
Examples of Data Integrators
After you install the data integration suite, you can access two data integrators that
we have developed:
! VPN Directory Updater
! VPN Subscription Deactivator
The following sections describe each of these data integrators. You can also
examine the following files to see how these data integrators were developed.
! Property files in /opt/UMC/datint/etc
! XSLT files in /opt/UMC/datint/xslt
! The script vpndatamgt in /opt/UMC/datint/etc, which calls both these data
integrators
VPN Directory Updater
VPN Directory Updater is a sample data integrator that reads data about VPNs from
a database and writes to a directory the data in a format that meets the SDX LDAP
schema. If you want to use VPN Directory Updater, you must customize it for your
specific application. At the very least, you need to customize the SQL queries for
your database.
VPN Directory Updater works as follows:
1. Database Reader submits SQL queries to a database, obtains the result of the
query and converts the result to an XML document.
2. XSLT Translator takes the XML document produced by Database Reader and
converts it to an XML document that describes a set of directory updates.
3. LDAP Writer uses the XML document generated by XSLT Translator to update
the directory.
Examples of Data Integrators ! 59
SDX 6.0.x Integration Guide
Figure 7 illustrates this process.
Figure 7: VPN Directory Updater Operation
Customer
database
read
DB reader
write
XML
document
read
XSLT translator
write
XML
document
read
LDAP writer
write
g015275
SDX
directory
60 ! Examples of Data Integrators
Chapter 6: Data Integration
VPN Subscription Deactivator
If an IT manager cancels the export of a VPN at the same time that an extranet
client activates a subscription to this VPN, there is a remote possibility that the
Enterprise Manager portal will maintain the active, but invalid, subscription. VPN
Subscription Deactivator deactivates this type of invalid VPN subscription.
You can use VPN Subscription Deactivator without modifications. For information
on using this data integrator, see SDX Objects Guide, Chapter 3, VPNs.
VPN Subscription Deactivator works as follows:
1. Enterprise Audit File Reader finds events of type unexport-vpn in the log for the
Enterprise Audit Plug-In and converts the events to an XML document.
2. The XSLT Translator tovpnsubquery performs the following actions:
a. Reads the XML document from the Enterprise Audit File Reader, and uses it
to identify extranet clients for whom export of a VPN was cancelled.
b. Uses the XSLT file tovpnsubquery.xslt to generate LDAP queries to obtain
subscriptions, imported extranets, and VPNs owned for these extranet
clients.
c. Writes the queries to an XML document.
3. LDAP Reader performs the following actions:
a. Reads the XML document from the XSLT Translator tovpnsubquery.
b. Submits the queries to the directory.
c. Obtains the results of the queries from the directory.
d. Writes the results to an XML document.
4. The XSLT Translator chkghostvpnsub performs the following actions:
a. Reads the XML document from the LDAP Reader.
b. Uses the XSLT file chkghostvpnsub.xslt to find in the XML document VPN
subscriptions that are still active even though the export of the VPN has
been cancelled.
c. Generates an XML document that contains LDAP updates to deactivate the
invalid subscriptions.
5. LDAP Writer uses the XML documents generated by Enterprise Audit File
Reader and LDAP Reader to update the directory.
Examples of Data Integrators ! 61
SDX 6.0.x Integration Guide
Figure 8 illustrates this process.
Figure 8: VPN Subscription Activator
EASP audit plug-in log
read
Enterprise audit file reader
write
XML
document
read
tovpnsubquery
(XSLT translator)
write
XML
document
read query
LDAP reader SDX
respond directory
write
XML
document
read
chkghostvpnsub
(XSLT translator)
write
XML
document
read
LDAP writer
write
g015276
SDX
directory
62 ! Examples of Data Integrators
Chapter 7
Backing Up the Directory
You can manually back up and restore the database for any directory you have
installed. The following procedures describe how to do this for OpenLDAP directory
server, DirX directory server, and Sun ONE directory server.
For information about migrating a directory database to another host, see SDX
Software Basics Guide, Chapter 13, Migrating Directory Data.
This chapter contains the following sections:
! Backing Up the OpenLDAP Database on page 63
! Restoring the OpenLDAP Database on page 64
! Backing Up the DirX Database on page 64
! Restoring the DirX Directory Database on page 65
! Backing Up the Sun ONE Database on page 65
! Restoring the Sun ONE Database on page 65
Backing Up the OpenLDAP Database
To back up the OpenLDAP database:
1. Log in as root.
2. Stop the OpenLDAP server.
/opt/UMC/openldap/etc/ldap stop
Backing Up the OpenLDAP Database ! 63
SDX 6.0.x Integration Guide
3. Archive the database.
tar cfv /tmp/openldapdb.tar /opt/UMC/openldap/var/openldap-ldbm/
where openldapdb.tar is the filename of the archive to be stored in the /tmp
directory.
4. Start the OpenLDAP server by executing the following command:
/opt/UMC/openldap/etc/ldap start
Restoring the OpenLDAP Database
To restore the OpenLDAP database:
1. Log in as root.
2. Stop the OpenLDAP server.
/opt/UMC/openldap/etc/ldap stop
3. Extract the archive by executing the following command:
tar xfv /tmp/openldapdb.tar
4. Start the OpenLDAP server by executing the following command:
/opt/UMC/openldap/etc/ldap start
Backing Up the DirX Database
To back up the DirX database:
1. Log in as user dirx, and access the customize subdirectory.
cd customize
2. Archive the database.
dirxadm
dirxadm> source bind.tcl
dirxadm> save -file /tmp/dirxdb
64 ! Restoring the OpenLDAP Database
Chapter 7: Backing Up the Directory
Restoring the DirX Directory Database
To restore the DirX database:
1. Verify that the DirX server is running. See your DirX documentation for details.
2. Restore the archive.
dirxadm
dirxadm> source bind.tcl
dirxadm> restore -file /tmp/dirxdb
Backing Up the Sun ONE Database
To back up the Sun ONE (formerly iPlanet) database:
1. Log in as root.
2. Access the database folder.
cd /opt/UMC/iDS/slapd-sdx
3. Back up the database.
./db2bak
This script makes a copy of the database and stores it in the following location:
/opt/UMC/iDS/slapd-sdx/bak/YYYY_MM_DD_HHMMSS
The backup directory identifies the date (YYYY_MM_DD) and time (HHMMSS)
when the backup was created.
Restoring the Sun ONE Database
To restore the Sun ONE database:
1. Log in as root.
2. Access the database folder.
cd /opt/UMC/iDS/slapd-sdx
3. Verify that the Sun ONE Directory Server is shut down. If it is not, shut it down.
./stop-slapd
4. Make sure you know the exact backup directory.
5. Run the bak2db script by typing:
./bak2db /opt/UMC/iDS/slapd-sdx/bak/YYYY_MM_DD_HHMMSS
Restoring the DirX Directory Database ! 65
SDX 6.0.x Integration Guide
where YYYY_MM_DD_HHMMSS identify the date and time when the database
backup was created.
6. Start the Sun ONE server.
./start-slapd
66 ! Restoring the Sun ONE Database
Chapter 8
Access Control Scheme
Each of the SDX components has an entry in the directory under
ou=components,o=operators,o=umc. Service providers can set up a multilayered
access control scheme for operators. For instance, a network operator might be able
to write new objects only under the folder o=network. The operator entries are
subordinates of o=operators,o=umc. This chapter contains the following sections:
! Directory Configuration on page 67
! Directories on page 68
! User Class on page 68
! Permissions on page 68
! Access Controls on page 69
! Directory-Specific Access Control Implementation on page 79
Directory Configuration
During configuration of the directory, the following entries for components and
operators are created:
! bind-DN for SSP: cn=ssp,ou=components,o=operators,o=umc
! bind-DN for RADIUS: cn=radius,ou=components,o=operators,o=umc
! bind-DN for POM: cn=pom,ou=components,o=operators,o=umc
! bind-DN for directory eventing: cn=des,ou=components,o=operators,o=umc
! bind-DN for workflow: cn=workflow,ou=components,o=operators,o=umc
! bind-DN for object state machine: cn=osm,ou=components,o=operators,
o=umc
! bind-DN for system management: cn=sysman,ou=components,o=operators,
o=umc
! bind-DN for SDX operators: cn=ssc-operator,o=operators,o=umc
Directory Configuration ! 67
SDX 6.0.x Integration Guide
! bind-DN for network operators: cn=network-operators,o=operators,o=umc
! bind-DN for service operators: cn=service-operator,o=operators,o=umc
! bind-DN for subscriber operators: cn=subscriber-operator,o=operators, o=umc
Directories
Directories specify the access rights for certain users to particular information in the
directory, while others users might not receive any rights to that information. The
access rights are defined through access control lists. Using access control lists,
permissions can be defined to the following targets:
! Entire directory content
! Particular subtree in the directory
! Objects that match a given search filter
! Specific object in the directory
The objects that are part of the target can be protected on an entry level and on an
attribute level.
User Class
The access control lists specify the user class from which the protected items are
protected against. The user class can be one of the following:
! Specific user
! Members of a specific group
! All entries of a subtree
! Users that match a given search filter
! All users
! This entry (for self-administration)
Permissions
Permissions must be set for the target. The following permissions are available:
! Add
! Search
! Compare
! Filter match
68 ! Directories
Chapter 8: Access Control Scheme
! Modify (write)
! Read
! Remove (delete)
! Rename
These permissions can be granted or denied. Deny takes precedence over grant.
Access Controls
Access Controls for the Entire Tree
A client who accesses the directory without binding to it does not have any access
rights. All clients who bind with the credentials of an SDX component or an
operator are members of the SSC-component-operator group and by default have
the following access rights:
! No access to the subtree o=Operators,o=umc
! Read access to the remaining directory tree, including the operational attributes
creationTimeStamp and modifyTimeStamp
! No read and compare rights for any userPassword values
Clients binding with the Apache DN or a member of the WebAdmin group do have
read and search permissions in the subtree o=Operators,o=umc:
! Read access for all user attributes
! No read and no filter match permissions for the attribute userPassword
Members of that group are allowed to administer the SAE through the SAE Web
Administration pages.
The members of the SSC_Admin group and the super-administrator have access
rights to the entire tree.
Figure 9: Access Rights for the UMC Tree
Member of Group SSC-Admin
o = UMC and super administrator
full access rights
Member of Group SSC-Component-Operator
read rights, including timeStamps,
no access to userPassword
o = Operators
Member of Group Web-Admin
read rights, no access to userPassword
g014181
Access Controls ! 69
SDX 6.0.x Integration Guide
Access Controls Against Objects from Type
cachedAuthentication Profile and UmcConfiguration
The SAE binds as cn=ssp,ou=components,o=operators,o=umc against the
directory and needs to have full access rights for the entries from the type object
class cachedAuthenticationProfile and umcConfiguration.
It is easier to implement the cached entries through the targets of the two subtrees
(o=AuthCache,o=umc and o=UserProfilesCache,o=umc) in OpenLDAP.
Figure 10: Access Rights Against cachedAuthenticationProfile and umcConfiguration
Objects
o = UMC
Filtering on umcConfiguration Full Rights
Filtering on cachedAuthenticationProfile Full Rights
g014182
Access Controls Against sspServiceProfile
In addition to the previously discussed access rights, the SSP requires full access
against objects from the tree sspServiceProfile.
Figure 11: Access Controls Against sspServiceProfiles in the User Subtree
o = UMC
o = Users
Filtering on sspServiceProfile Full Rights
g014183
70 ! Access Controls
Chapter 8: Access Control Scheme
Access Controls Against umcRadius Person and umcUser
The SSP requires read access to the userPassword attribute for entries from type
umcRadiusPerson and umcUser.
Figure 12: Access Rights Against umcRadiusPerson and umcUser
o = UMC
o = Users Filtering on umcRadiusPerson Read,
Compare Rights for userPassword
Filtering on umcUser Read,
Compare Rights for userPassword
g014184
Access Controls Against RADIUS Profiles
RADIUS requires reading access to the userPassword attribute in entries from
umcRadiusPerson to authenticate requests of a subscriber, and from
umcOutsourcingServiceProfile to determine the tunnel parameter for an L2TP
outsourcing scenario. The RADIUS server binds with the credentials of
cn=radius,ou=components,o=operators,o=umc.
Figure 13: Access Rights Against umcRadiusPerson
and umcOutsourcingServiceProfile Objects
o = UMC
o = Users Filtering on umcRadiusPerson Read,
Compare Rights for userPassword
Filtering on umcOutsourcingServiceProfile
Read, Compare Rights for userPassword
g014185
Access Controls ! 71
SDX 6.0.x Integration Guide
Access Controls Against the Policy Subtree
The policy management component uses the credentials of
cn=pom,ou=components,o=operators,o=umc and requires the following set of
access rights for the policy subtree. It needs to perform add, delete, and modify
operations on all policy and policyFolder objects in the o=Policies,o=umc subtree.
Figure 14: Policy Rights Against All Objects in the o=Policies,o=umc Tree
o = UMC
o = Users
entire subtree: Full Rights
g014186
Access Controls Against the Parameter Subtree
POM requires the following set of access controls for the parameter subtree. It
needs to perform add, delete and modify operations on all objects in the
o=Parameter,o=umc subtree.
Figure 15: Access Rights Against All Objects in the Tree o=Parameters,o=umc.
o = UMC
o = Parameters
entire subtree: Full Rights
g014180
72 ! Access Controls
Chapter 8: Access Control Scheme
Access Controls for System Management
The system management component binds as cn=sysman,ou=components,
o=operators,o=umc and requires full access rights for the subtree
ou=SystemManagement,o=Configuration,o=Management,o=umc.
Figure 16: Access Rights for System Management
o = Management
ou = Configuration
ou = System
entire subtree: Full Rights
g014187
Access Controls Against the Lock Subtree
The object state manager component requires full access rights to subtree
o=Locks,o=umc. This component uses the credentials of cn=osm,
ou=components,o=operators,o=umc to bind against the directory.
Figure 17: Access Rights Against the Entire o=Locks,o=umc Subtree
o = UMC
o = Locks
entire subtree: Full Rights
g014188
Access Controls ! 73
SDX 6.0.x Integration Guide
Access Controls Against Subscriber, Retailer, and Service Profiles
The workflow component needs to flag objects that are in a transactional state.
Those objects can be any umcSubscriber, umcRetailer, or any umcServiceProfile.
The component must have modify rights on those target objects and write access to
all attributes that are part of the auxiliary class transactionalObjectAuxClass as well
as the attribute objectClass. The workflow component binds with the credentials of
cn=workflow,ou=components, o=operators,o=umc against the directory.
Figure 18: Access Rights Against umcSubscriber, umcRetailer
and umcServiceProfile Objects
o = UMC Filtering on umcRetailer modify rights on objectClass
and attributes from transactionalObjectAuxClass
Filtering on umcSubscriber modify rights on objectClass
and attributes from transactionalObjectAuxClass
Filtering on umcServiceProfile modify rights on objectClass
and attributes from transactionalObjectAuxClass
g014189
Access Controls Against the Network Subtree
The network operator is just allowed to administer objects within the subtree
o=Network,o=umc and bind against the directory using the credentials of
cn=network-operator,o=operators,o=umc.
Figure 19: Access Rights Against the Entire o=Network,o=umc Subtree
o = UMC
o = Network
entire subtree: Full Rights
g014182
74 ! Access Controls
Chapter 8: Access Control Scheme
Access Controls Against Services and Mutex Group Objects
The service operator requires full access rights for umcService objects as well as for
umcMutexGroup objects. These objects are subordinates of the entries
o=Services,o=umc and o=Scopes,o=umc. The service-operator binds with the DN
cn=service-operator,o=operators,o=umc against the directory.
Figure 20: Access Rights Against umcService and umcMutexGroup Objects
o = UMC Filtering on umcService Full Rights
Filtering on umcMutexGroup Full Rights
g014191
Access Controls Against the Workflow Subtree
Workflow operators manage all workflow objects within the subtree
o=Workflows,o=umc. Therefore, these operators require full access rights for the
subtree o=Workflows,o=umc. Such operators use the credentials of
cn=workfllow-operator,o=operators,o=umc against the directory.
Figure 21: Access Rights Against the Entire o=Workflows,o=umc Subtree
o = UMC
o = Workflows
entire subtree: Full Rights
g014192
Access Controls ! 75
SDX 6.0.x Integration Guide
Access Controls Against the User Subtree
Subscriber-operators are responsible for the entire o=Users,o=umc subtree and
require full access rights. The subscriber-operator uses the credentials of the entry
cn=subscriber-operator,o=operators,o=umc.
Figure 22: Access Rights Against the Entire o=users,o=umc Subtree
o = UMC
o = Users
entire subtree: Full Rights
g014193
Access Controls Against Service, Policy, and Global Parameter Objects
All enterprise managers require read and search rights against objects from the type
umcService, policy and umcGlobalParameter. Those managers bind with their
credentials against the directory.
Figure 23: Access Rights Against umcService, Policy and umcGlobalParameter Objects
o = UMC Filtering on umcService Read Rights
Filtering on policy Read Rights
Filtering on umcGlobalParameter Read Rights
g014194
Administrative Access Rights
SDX operators create an enterprise administrator for a particular enterprise as a
subordinate of enterprise root. The DN of that administrator is a member of the
administrators group. As a result, an operator binding with the enterprise
manager’s credentials against the directory has full access rights for the entire
subtree. The enterprise administrator is allowed to create activation, subscription
and substitution operators. He is able to add those operators as members of the
appropriate user groups. Figure 24 shows the access rights for administrators of a
particular enterprise. Figure 24 is also valid for site and access administrators. Just
the root of the tree differs and might therefore be siteName=Site X or
accessName=Access xy.
76 ! Access Controls
Chapter 8: Access Control Scheme
An enterprise manager can also administer sites and accesses.
Figure 24: Access Rights for Enterprise (Site and Access) Administrators
enterpriseName=Enterprise X
(or siteName=Site X or accessName=Access xy)
entire subtree: Full Rights for members
of the Usergroup cn = Administrators
g014195
Activation Access Rights
Operators, who are members of the user group cn=Activations, need to be able to
change the attribute sspAction to activate or deactivate SSP services in an
enterprise, site, or access scope. Figure 25 shows these modify rights.
Figure 25: Modify Rights for Activation Managers
enterpriseName=Enterprise X
(or siteName=Site X or accessName=Access xy)
entire subtree: Modify rights on sspServiceProfile objects
to manage sspAction attribute for members of
the Usergroup cn=Activations
g014196
Subscription Access Rights
Subscription operators are members of the user group cn=Subscriptions and are
able to subscribe and unsubscribe to and from SSP services in their specific scope
(that is, enterprise wide, site wide or access wide). This is the creation and deletion
of objects from the type sspServiceProfile. As a result, subscription operators
require full access rights in the objects shown in Figure 26.
Figure 26: Access Rights for Subscription Managers
enterpriseName=Enterprise X
(or siteName=Site X or accessName=Access xy)
entire subtree: Full rights on sspServiceProfile
for members of the Usergroup cn=Subscriptions
g014197
Access Controls ! 77
SDX 6.0.x Integration Guide
Substitution Access Rights
Members of the substitutions user group get the required access rights that grant to
attached auxiliary object classes, to objects and modify the attribute type belonging
to the auxiliaryclass parameterAuxClass.
Figure 27: Access Rights for Substitution Managers
enterpriseName=Enterprise X
(or siteName=Site X or accessName=Access xy)
entire subtree: Modify rights on objects to attach parameter
AuxClass and rights to administer the attributes
for members of the UserGroup cn=Substitutions
g014198
Common Access Rights for All Managers
All enterprise managers (that is, members of the previously mentioned user groups)
have the following common rights:
! Read access to the service subtree (o=services,o=umc)
! Read access to the policy subtree (o=policies,o=umc)
! Read access to the global parameter subtree (o=parameters,o=umc)
! Read access to the scope of the manager, this is enterprise, site or access wide
read access.
! Modify rights to change the user password and description value of its entry.
Figure 28: Access Rights for All Managers
o = UMC
enterpriseName=Enterprise X
(or siteName=Site X or accessName=Access xy)
0=Services
0=Policies own entry: modify rights
0=Parameters for userPassword and description
entire subtree: Full Rights
g014199
78 ! Access Controls
Chapter 8: Access Control Scheme
Directory-Specific Access Control Implementation
All three supported directories (that is, DirX, OpenLDAP, and iPlanet) have complex
mechanisms for controlling access, depending on the user bound to the directory.
DirX stores the access control lists in subentries that conforms to the X.500
standard. The access control subentries are created by using the DirX DAP client
dirxcp. These access control subentries are replicated in a shadowing scenario.
OpenLDAP defines the access control list statically within the LDAP server
configuration file umc.slapd.conf. In the case of replication, the access control lists
must be copied manually into the configuration file of the slave directory.
IPlanet/Netscape Directory 4.13 stores the access control lists in the directory.
IPlanet/Netscape Directory 4.13 extends the standard object class top by the
optional attribute aci that is used to store the access control lists. This means that
the aci information can be added through the LDAP protocol. The aci values are
replicated to the slave directory.
DirX
DirX access control information is stored in subentries that are from the type
subentry and acceSDXontrolSubentry. These subentries include the information
about the target (that is, what is controlled), precedence (that is, higher precedence
overwrites lower precedence), and the access control information (that is,
prescriptive ACI) that includes the user class (that is, who is affected by the control
parameters) and the permissions on entry and attribute level.
Access control subentries can contain many prescriptive ACIs with a list of one or
more items to be protected, such as entries and sets of operation or user attributes.
The UMCdirxa package includes a tcl-file, called acldefs.tcl, that defines the following
variables for the permissions:
! DAER—Deny read access on entry level
! AER—Grant read access on entry level
! AEM—Grant full access on entry level
! AEME—Grant modify access on entry level
! DAAR—Deny read access on attribute level
! AAR—Grant read rights on attribute level
! AAM—Grant modify rights on attribute level
The UMCdirxa package includes the file access.cp that sets the access controls for
the SDX software.
Directory-Specific Access Control Implementation ! 79
SDX 6.0.x Integration Guide
Figure 29 shows a tcl-script with an explanation of the various parts.
Figure 29: Creation of an Access Control Subentry Example in DirX
create /o=UMC/CN=SSP-AccessControl-Subentry \ 1
{OCL=SUBE;ACS] \
{SS={SF={OR={ITEM=authProfile}; \
2
{ITEM=umcConf} } }}\
3 PACI={ID=SSP: Full rights on Cached Profiles and Configuration;
PR=254, 4
5 AL={BL={L=SIMPLE}},
UF={UC={N={DN={/o=UMC/o=Operators/ou=Components/cn=ssp}}},
7 UP={PI={E=TRUE},GAD=$AEM}; 8 6
{PI={AUATV=TRUE},GAD=$AAM}} }
9 10
1. DN of subentry
2. Target (entire area)
3. (one or more) Identifier(s) of Prescriptive ACI
4. Precedence [0-255]
5. Authentication-level simple-bind
6. User-class: SSP component
7. First protected items (all entries)
8. Grant and denials for all entries: Full Rights
g014955
9. Second protected items (all user-attributes)
10. Grant and denials for all user-attributes: Modify Rights
OpenLDAP
The OpenLDAP access controls are configured in the LDAP server configuration file
umc.slapd.conf. The precedence of the access controls is governed by the order of
appearance of the access control list in the umc.slapd.conf file. Whenever the target
of the user class is fulfilled, OpenLDAP ignores the remaining access control entries.
Many user classes can be added to an access control list for a target.
NOTE: OpenLDAP requires write access to a parent to create a new entry.
Because of this requirement, OpenLDAP requires more than one access control
definition to implement the same access rights as in the DirX example.
80 ! Directory-Specific Access Control Implementation
Chapter 8: Access Control Scheme
Figure 30 shows a umc.slapd.conf with an explanation of the various parts.
Figure 30: Creation of an Access Control List Example in OpenLDAP
# allows SSP to access to AuthCache-subtree
access to dn="o=AuthCache,o=umc" 1 2
by dn="cn=umcAdmin,o=UMC" write
by dn="cn=ssp,ou=components,o=operators,o=UMC" write 3
by group/groupOfUniqueNames/uniqueMember="cn=SSC-Admin,o=Operators,o=UMC"
write by users none 4
# allows SSP to write to UserProfileCache-subtree
access to dn="o=UserProfileCache,o=umc"
by dn="cn=umcAdmin,o=UMC" write
by dn="cn=ssp,ou=components,o=operators,o=UMC" write
by group/groupOfUniqueNames/uniqueMember="cn=SSC-Admin,o=Operators,o=UMC"
write by users none
#allows SSP to access to SSP-configuration-subtree
access to dn="ou=SSP,ou=Configuration,o=Management,o=UMC"
by dn="cn=umcAdmin,o=UMC" write
by dn="cn=ssp,ou=components,o=operators,o=UMC" write
by group/groupOfUniqueNames/uniqueMember="cn=SSC-Components-Operators,o=Operators,o=UMC"
read by users none
1. Target (Authcache-subtree)
2. All user-attributes implicitly included.
3. Grant write access, which includes the rights auth, compare, read, and search
4. User-Class: umcAdmin
Ssp-component
g014956
Member of SSC-Admin group
Authenticated user
Netscape / iPlanet Directory Server
Access control information is stored in the ACI attribute of each directory entry.
Because the access control information is stored in the directory, it can be managed
using LDIF files.
ACIs take the following form:
aci: () (version 3.0;aci ””;;)
where
defines the object, attribute or filter you are using to define what
resource to control access to. The target can be a distinguished name, one or
more attributes, and or a single LDAP filter
version 3.0 is a required string that identifies the CAI version
aci “” is a name for the ACI. can be any string that
identifies the ACI. The ACI name is required.
Directory-Specific Access Control Implementation ! 81
SDX 6.0.x Integration Guide
defines the actual access rights and whether they are to be
allowed or denied.
identify the circumstances under which the directory login must
occur for the ACI to take effect.
The UMCiDSa package includes the LDIF file (that is, access.ldif) that implements
the SDX access control scheme.
Figure 31 shows the LDIF file for implementing the same kind of access level as
previously depicted with an iPlanet/Netscape 4.13 directory.
Figure 31: Creation of Access Control List Example in iPlanet DS 4.13
dn: o=UMC
changetype: modify
add: aci
aci:(target="ldap:///o=UMC")(targetattr="*") 1
(targetfilter="(|(objectClass=cachedAuthenticationProfile) 2
(objectClass=umcConfiguration))")
(version 3.0; acl "SSP: enable admin of cahced profiles and configuration"; 3
4 allow (all) userdn = "ldap:///cn=ssp,ou=Components,o=Operators,o=UMC"
5 and (authmethod = "Simple");)
1. All user-attributes implicitly included
2. Target (entire area)
3. (one or more) Identifier(s) of Prescriptive ACI
g014957
4.Grant write access, which includes the rights auth, compare, read, and search
5. User-class: SSP component
82 ! Directory-Specific Access Control Implementation
Chapter 8: Access Control Scheme
Assigning Operators to an Operator Group
To add operators to an operator group:
1. Click on the operator group in the navigation pane.
The Operator Group pane appears.
2. Click the icon.
The Select Object dialog box appears.
3. Use the tools in the navigation bar to view the operators for this enterprise.
4. Highlight an operator, and click OK.
5. Click Add in the Main tab of the Operator Group pane.
Deleting Operators from an Operator Group
To delete an operator from an operator group:
1. In the Main tab of the Operator Group pane, select the operator in the Members
field.
2. Right-click, and select Delete.
Directory-Specific Access Control Implementation ! 83
SDX 6.0.x Integration Guide
84 ! Directory-Specific Access Control Implementation
Part 3
RADIUS Servers
RADIUS Servers ! 85
SDX 6.0.x Integration Guide
86 ! RADIUS Servers
Chapter 9
Integrating Steel-Belted Radius/SPE
Steel-Belted Radius/Service Provider Edition (SPE) is a carrier-grade RADIUS/AAA
solution from Funk Software. It provides the reliability, performance, and
specialized technology demanded by carriers, wholesalers, and service providers.
Use the information in this chapter to integrate Steel-Belted Radius/SPE with
JUNOSe routers. Refer to the SDX Release Notes for information about compatibility
of this SDX release with Steel-Belted Radius/SPE releases. The SDX software does
not support the use of RADIUS with JUNOS routing platforms.
This chapter contains the following sections:
! System Requirements on page 88
! Installing the Software on page 88
! Initial Configuration on page 90
! Configuring UDP Ports on page 91
! Starting and Stopping the RADIUS Server on page 92
! Extending Dictionary Files with JUNOSe Parameters on page 92
! Configuring LDAP Authentication on page 94
! Directed Authentication on page 101
! Customizing the Authentication Log File on page 103
! RADIUS Client/Server Configuration on page 103
The SDX software can take advantage of a RADIUS server to authenticate against an
LDAP server, which is used to store subscriber and service information, among
other items.
! 87
SDX 6.0.x Integration Guide
System Requirements
The Solaris host software package from Funk Software includes:
! The RADIUS server daemon
! Java-based administration GUI
! A number of dictionary and database files to support various authentication
methods
The software package requires:
! Operating system—Solaris 8 and higher
! RAM—At least 64 MB of working memory
! Disk—Depends on external database support; at least 105 MB of hard-disk
space
! Browser for GUI—Java-capable browser that understands signed Java applets,
such as Netscape 4.08 or later for Solaris
Installing the Software
You will need the Steel-Belted Radius/SPE software CD and a valid license string.
Use the procedure that is appropriate for your installation.
NOTE: For the remainder of the document, we assume that Steel-Belted
Radius/SPE is installed in the directory /opt/UMC/SPE.
First-Time Installations
To install the software for the first time:
1. Log in as root.
2. Copy files from /cdrom/cdrom0/Unix to the Sun platforms (for example, to
/tmp/funk), and set your working directory to the directory to which the files
were copied.
3. Run the install.sh script with the -all option. Type:
sh install.sh -all
The installation script prompts for the server directory.
4. Type the full pathname:
/opt/UMC/SPE
The installation script prompts for the license string.
88 ! System Requirements
Chapter 9: Integrating Steel-Belted Radius/SPE
5. Enter a valid license string.
The installation script prompts for the type of install from the following list.
1. Steel-Belted Radius Enterprise Edition
2. Steel-Belted Radius Service Provider Edition
3. Steel-Belted Radius Global Enterprise Edition
4. Steel-Belted Radius HotSpot Edition
6. Enter selection: [2] Steel-Belted Radius Service Provider Edition
The installation script prompts for the directory where the administration user
interface should be installed.
7. Type the full pathname:
/opt/UMC/SPE/radadmin
Previous Installations
To install the software over a previous installation:
1. Complete the procedure in the previous section. The install.sh script may detect
the following items on the machine:
! RADIUS daemon already running
! Funk Steel-Belted RADIUS SPE configuration files
! Funk Steel-Belted RADIUS SPE database files
The install.sh script prompts for the following message if the script discovers a
running server:
Server is running with pid
Stop radius server and unconfig/uninstall before
Installing new version
2. Change to the installation directory of the Steel-Belted Radius/SPE package. You
can find the server directory by typing the following command:
ps -aef | grep radius
3. Stop the server by typing:
./S90radius stop
4. Change to your working directory. Unconfigure the previous installation, which
removes the start-up script and some entries in the /etc/services and
/etc/inetd.conf files, which are used by the previously installed Steel-Belted
Radius/SPE server. Type:
sh install.sh -unconfig
5. When prompted, enter the path of the existing server directory.
Installing the Software ! 89
SDX 6.0.x Integration Guide
6. Run the install.sh script with the -all option again. Type
sh install.sh -all
The script checks for existing Steel-Belted Radius/SPE configuration files. The
following prompt appears if files are detected:
Previous configuration files exist
Configuration files exist in
Do you want to discard them? [n]
7. If you answer n, the previous configuration files are copied into the subdirectory
OLDCONFIG. Otherwise, the previous files are overwritten.
The script checks for existing Steel-Belted Radius/SPE database files. The
following prompt appears if files are detected:
Previous database files exist
Database files exist in
Do you want to discard them? [n]
8. If you answer n, the previous configuration files are not overwritten, and the
new Steel-Belted Radius/SPE version uses the entire administrative database.
Otherwise, the database files are overwritten.
The script prompts you for the license string.
9. Enter a valid license string.
The installation script prompts for the directory where the administration user
interface should be installed.
10. Type the full pathname:
/opt/UMC/SPE/radadmin
Initial Configuration
Use this procedure to enable authentication through the LDAP directories. The SDX
software requires that the LDAP be enabled as an external database. The LDAP host
is used for authentication purposes.
NOTE: The LDAP is not required for integration with just the JUNOSe router.
To enable an LDAP host as an external database used by Steel-Belted Radius/SPE.
1. Log in as root.
2. Return to the working directory (directory where the installation files were
originally copied; for example, /tmp/funk).
90 ! Initial Configuration
Chapter 9: Integrating Steel-Belted Radius/SPE
3. Unconfigure the initial configuration of Steel-Belted Radius/SPE by running
install.sh script with the -unconfig option. The server directory must be entered.
# sh install.sh -unconfig
Enter server directory [/radius]: /opt/UMC/SPE
Removing /etc/rc2.d/S90radius /etc/rc2.d/K90radius
Removing RADIUS entries from /etc/services
Removing RADIUS entries from /etc/inetd.conf
kill -HUP 124
Unconfig completed.
4. Configure Steel-Belted Radius/SPE with the external database by running
install.sh with the -config option. The server directory must be entered again. In
addition, LDAP must be selected as the external database, and the path
/opt/UMC/SPE must be entered where the LDAP libraries are located. In the
following example, no SNMP support is configured (see the Steel-Belted
Radius/SPE manuals for more information about SNMP support).
# sh install.sh -config
Enter server directory [[/radius]: /opt/UMC/SPE
Creating S90radius.
Setting the default radius directory /opt/UMC/SPE
Do you want to configure SNMP? [n]: n
Do you want to configure for use with External SQL Databases? [n]: n
Do you want to configure LDAP? [n]: y
Enter path for LDAP library files. [/usr/lib/]: /opt/UMC/SPE
Configuration of LDAP complete. Copying S90radius to /opt/UMC/SPE
Creating link.
Radius server configuration completed. Configuring admin...
Modifying /etc/services ...
Modifying /etc/inetd.conf ...
kill -HUP 133
Admin configuration completed.
5. Copy the dictionary and vendor files (dictiona.dcm, juniper.dct and vendor.ini) for
the JUNOSe release from the folder called Funk on the SDX Software CD, into
the installation directory (/opt/UMC/SPE).
Configuring UDP Ports
The transaction-based RADIUS protocol uses two UDP ports: one for authentication
packets and one for accounting packets. The ports must be configured on both
sides—the Steel-Belted Radius/SPE server and the RADIUS clients (SDX software
and JUNOSe router). For information about RADIUS client/server configuration, see
RADIUS Client/Server Configuration on page 103.
The officially assigned UDP port numbers are:
! 1812 for authentication
! 1813 for accounting
Early deployments of RADIUS used 1645/udp for authentication packets and
1646/udp for accounting packets.
Configuring UDP Ports ! 91
SDX 6.0.x Integration Guide
The (ports) section of the radius configuration file radius.ini allows you to set the
UDP ports used for authentication and accounting and the UDPAuthPort and
UDPAcctPort fields for port assignment. You can specify more than one port that the
SPE server is listening to; for example:
! UDPAuthPort = 1812
! UDPAuthPort = 1645
! UDPAcctPort = 1813
! UDPAcctPort = 1645
If no port settings are present in the radius.ini file, the SPE server attempts to read
the port numbers associated with the RADIUS servers from the /etc/services file.
If no port settings are present in the radius.ini file and no RADIUS services are
defined in the /etc/services file, the SPE server listens to UDP ports 1645 and 1812
for authentication and UDP ports 1646 and 1813 for accounting.
Starting and Stopping the RADIUS Server
You can start or stop the RADIUS server using the commands described below.
To start the RADIUS server:
1. Change to the /opt/UMC/SPE.
2. Enter:
./S90radius start
During start-up, the RADIUS server binds to the LDAP server, which requires
that the LDAP server be running before the RADIUS server is started. The
RADIUS daemon is automatically started whenever the Solaris host is booted.
To stop the RADIUS server, enter:
./S90radius stop
Extending Dictionary Files with JUNOSe Parameters
In addition to supporting the standard RADIUS attributes, JUNOSe routers support
JUNOSe-specific attributes. You must replace a file to introduce JUNOSe-specific
attributes to the Steel-Belted Radius server. Replacing this file is necessary to
complete both the Steel-Belted Radius–JUNOSe router integration and the
Steel-Belted Radius–JUNOSe router–SDX integration.
92 ! Starting and Stopping the RADIUS Server
Chapter 9: Integrating Steel-Belted Radius/SPE
To extend dictionary files with JUNOSe parameters, replace the juniper.dct
dictionary file provided by Funk Software with the file shown below. The Juniper
Networks dictionary file is included as part of the SDX installation media.
################################################################################
# juniper.dct - Juniper ERX Family dictionary
#
# (See README.DCT for more details on the format of this file)
################################################################################
#
# Use the Radius specification attributes
#
@radius.dct
#
# Define additional Juniper ERX Family Attributes
#
MACRO ERX-VSA(t,s) 26 [vid=4874 type1=%t% len1=+2 data=%s%]
MACRO ERX-TUNNELVSA(t,s) 26 [vid=4874 type1=%t% len1=+3 fill1=0 data=%s%]
ATTRIBUTE Virtual-Router-Name ERX-VSA(1, string) rt
ATTRIBUTE Address-Pool-Name ERX-VSA(2, string) r
ATTRIBUTE Local-Loopback ERX-VSA(3, string) r
ATTRIBUTE Primary-DNS ERX-VSA(4, ipaddr) r
ATTRIBUTE Secondary-DNS ERX-VSA(5, ipaddr) r
ATTRIBUTE Primary-WINS ERX-VSA(6, ipaddr) r
ATTRIBUTE Secondary-WINS ERX-VSA(7, ipaddr) r
ATTRIBUTE Tunnel-Virtual-Router ERX-TUNNELVSA(8, string) rt
ATTRIBUTE Tunnel-Password ERX-TUNNELVSA(9, string) rt
ATTRIBUTE Ingress-Policy-Name ERX-VSA(10, string) R
ATTRIBUTE Egress-Policy-Name ERX-VSA(11, string) R
ATTRIBUTE Ingress-Statistics ERX-VSA(12, integer) R
VALUE Ingress-Statistics disable 0
VALUE Ingress-Statistics enable 1
ATTRIBUTE Egress-Statistics ERX-VSA(13, integer) R
VALUE Egress-Statistics disable 0
VALUE Egress-Statistics enable 1
ATTRIBUTE Atm-Service-Category ERX-VSA(14, integer) r
VALUE Atm-Service-Category UBR 1
VALUE Atm-Service-Category UBRPCR 2
VALUE Atm-Service-Category nrtVBR 3
VALUE Atm-Service-Category CBR 4
ATTRIBUTE Atm-PCR ERX-VSA(15, integer) r
ATTRIBUTE Atm-SCR ERX-VSA(16, integer) r
ATTRIBUTE ATM-MBS ERX-VSA(17, integer) r
ATTRIBUTE CLI-Initial-Auth-Level ERX-VSA(18, string) r
ATTRIBUTE CLI-Allow-All-VR-Access ERX-VSA(19, integer) r
VALUE CLI-Allow-All-VR-Access disable 0
VALUE CLI-Allow-All-VR-Access enable 1
ATTRIBUTE Alt-CLI-Auth-Level ERX-VSA(20, string) R
ATTRIBUTE Alt-CLI-Virtual-Router ERX-VSA(21, string) R
ATTRIBUTE Sa-Validate ERX-VSA(22, integer) r
VALUE Sa-Validate disable 0
VALUE Sa-Validate enable 1
ATTRIBUTE Igmp-Enable ERX-VSA(23, integer) r
VALUE Igmp-Enable disable 0
VALUE Igmp-Enable enable 1
ATTRIBUTE Pppoe-Description ERX-VSA(24, string) c
ATTRIBUTE Redirect-VR-Name ERX-VSA(25, string) r
ATTRIBUTE Qos-Profile-Name ERX-VSA(26, string) r
Extending Dictionary Files with JUNOSe Parameters ! 93
SDX 6.0.x Integration Guide
ATTRIBUTE Pppoe-Max-Sessions ERX-VSA(27, integer) r
ATTRIBUTE Pppoe-Url ERX-VSA(28, string) r
ATTRIBUTE Qos-Profile-Interface-Type ERX-VSA(29, integer) r
VALUE Qos-Profile-Interface-Type IP 1
VALUE Qos-Profile-Interface-Type ATM 2
VALUE Qos-Profile-Interface-Type HDLC 3
VALUE Qos-Profile-Interface-Type ETHERNET 4
VALUE Qos-Profile-Interface-Type SERVER-PORT 5
VALUE Qos-Profile-Interface-Type ATM-1483 6
VALUE Qos-Profile-Interface-Type FRAME-RELAY 7
VALUE Qos-Profile-Interface-Type MPLS-MINOR 8
VALUE Qos-Profile-Interface-Type CBF 9
VALUE Qos-Profile-Interface-Type IP-TUNNEL 10
VALUE Qos-Profile-Interface-Type VLAN-SUB 11
VALUE Qos-Profile-Interface-Type PPPOE-SUB 12
ATTRIBUTE Tunnel-Nas-Port-Method ERX-TUNNELVSA(30, integer) r
VALUE Tunnel-Nas-Port-Method None 0
VALUE Tunnel-Nas-Port-Method CISCO-CLID 1
ATTRIBUTE Service-Bundle ERX-VSA(31, stringnz) r
ATTRIBUTE Tunnel-Tos ERX-TUNNELVSA(32, integer) r
ATTRIBUTE Tunnel-Maximum-Sessions ERX-TUNNELVSA(33, integer) r
ATTRIBUTE Framed-Ip-Route-Tag ERX-VSA(34, string) r
ATTRIBUTE Tunnel-Dialout-Number ERX-TUNNELVSA(35, string) r
ATTRIBUTE Ppp-Username ERX-TUNNELVSA(36, string) r
ATTRIBUTE Ppp-Password ERX-TUNNELVSA(37, string) r
ATTRIBUTE Ppp-Authenticate-Protocol ERX-TUNNELVSA(38, integer) r
VALUE Ppp-Authenticate-Protocol NONE 0
VALUE Ppp-Authenticate-Protocol PAP 1
VALUE Ppp-Authenticate-Protocol CHAP 2
VALUE Ppp-Authenticate-Protocol PAP-CHAP 3
VALUE Ppp-Authenticate-Protocol CHAP-PAP 4
ATTRIBUTE Tunnel-Minimum-Bps ERX-TUNNELVSA(39, integer) r
ATTRIBUTE Tunnel-Maximum-Bps ERX-TUNNELVSA(40, integer) r
ATTRIBUTE Tunnel-Bearer-Type ERX-TUNNELVSA(41, integer) r
VALUE Tunnel-Bearer-Type NONE 0
VALUE Tunnel-Bearer-Type ANALOG 1
VALUE Tunnel-Bearer-Type DIGITAL 2
ATTRIBUTE Input-Gigapkts ERX-VSA(42, integer) r
ATTRIBUTE Output-Gigapkts ERX-VSA(43, integer) r
ATTRIBUTE Tunnel-Interface-Id ERX-TUNNELVSA(44, string) r
ATTRIBUTE Ipv6-Virtual-Router ERX-VSA(45, string) rt
ATTRIBUTE Ipv6-Local-Interface ERX-VSA(46, string) r
ATTRIBUTE Ipv6-Primary-DNS ERX-VSA(47, string) r
ATTRIBUTE Ipv6-Secondary-DNS ERX-VSA(48, string) r
ATTRIBUTE Sdx-Service-Name ERX-VSA(49, string) cr
ATTRIBUTE Sdx-Session-Volume-Quota ERX-VSA(50, string) cr
ATTRIBUTE Tunnel-Disconnect-Cause-Info ERX-TUNNELVSA(51, string) r
################################################################################
# juniper.dct - Juniper ERX dictionary
################################################################################
Configuring LDAP Authentication
The SDX software assumes that all RADIUS authentications are performed against
the SDX LDAP directory. The information in this section also applies to the
Steel-Belted Radius/SPE server integration with an JUNOSe router, providing that
Steel-Belted Radius/SPE uses an LDAP sever as an external database for
authentication purposes.
94 ! Configuring LDAP Authentication
Chapter 9: Integrating Steel-Belted Radius/SPE
Integration of the JUNOSe-specific attributes, such as primary DNS, virtual router,
and others must be performed. Steel-Belted Radius/SPE supports such an external
authentication method by using several configuration files.
These files tell the RADIUS server:
! How the RADIUS server communicates with an external database (LDAP)
! How the RADIUS server queries the external database for authentication
! How the RADIUS server formulates the response from the query result
You configure LDAP authentication by modifying properties the ldapauth.aut file,
which is located in the server directory (opt/UMC/SPE). If you do not specify options
in this file, the SPE assumes the default values. You can also view a sample
ldapauth.aut file on the SDX software CD in the folder called funk.
The sections of the LDAP authentication file are described below.
[Bootstrap] Section
The [Bootstrap] section specifies information that the Steel-Belted RADIUS uses to
load and start the LDAP authentication plug-in. The library used must be set, and
the LDAP authentication must be enabled.
This section should look like:
[Bootstrap]
LibraryName=ldapauth.so
Enable=1
InitializationString=LDAP
[Settings] Section
The [Settings] section forms a basis for all Bind and Search requests against the
LDAP server. The information presented here applies to all LDAP servers specified in
this file.
Steel-Belted Radius/SPE supports two kinds of LDAP authentication:
! Bind—Steel-Belted Radius/SPE attempts to bind to the LDAP server, using
username and password from the incoming access request (one authentication
is performed at one time).
! BindName—Steel-Belted Radius/SPE binds once with credentials to the LDAP
server and performs a Search operation against the LDAP server to validate
username and password from the incoming access request (multiple
authentications are performed at the same time).
Configuring LDAP Authentication ! 95
SDX 6.0.x Integration Guide
The SDX software supports the BindName option, which must be specified in the
[Settings] section. The BindName option requires specifying credentials, which
Steel-Belted Radius/SPE uses to bind against the LDAP directory. If you want to use
the same credentials for each LDAP directory, you would specify BindName and
BindPassword in the [Settings] section; otherwise you would use the [Server/name]
sections, as described below:
! LogLevel—Activates LDAP logging, written into the activity log file (.log)
! PasswordFormat—Identifies whether RADIUS handles clear-text, UNIXcryp,t or
SHA1+Base64 hash-encrypted passwords. The value auto tells Steel-Belted
Radius/SPE to parse each password value it retrieves from the LDAP server.
! PasswordCase—Tells SPE whether the password is always converted to
uppercase or to lowercase or not converted at all. The default is Original.
! UpperCaseName—Identifies whether the username is converted to
uppercase or not. The default is 0 (no conversion).
The Search option specifies a string name, referencing to a section where the LDAP
Search request is specified.
The section should look like:
[Settings]
MaxConcurrent=25
Timeout=20
ConnectTimeout=25
QueryTimeout=10
WaitReconnect=2
MaxWaitReconnect=360
LogLevel = 0
UpperCaseName = 0
PasswordCase=original
PasswordFormat=auto
Search = DoLdapSearch
SSL = 0
[Server] Section
The [Server] section lists the LDAP servers that may be used to perform
authentication. Optionally, it also can be used to specify multiple LDAP servers for
load balancing or backup. If more than one LDAP server is specified, Steel-Belted
Radius/SPE always uses round-robin. The following depicts how to list one or more
LDAP servers.
The list contains serverName = TargetNumber pairs, where the serverName is used
in the [server/serverName] section, described in the next paragraph. TargetNumber
is an activation target number that controls when the server is activated for backup
purposes. TargetNumber is optional and may be left blank. For example:
[Server]
s1=
s2=
s3=
96 ! Configuring LDAP Authentication
Chapter 9: Integrating Steel-Belted Radius/SPE
[Server/serverName] Section
Each [server/serverName] section contains information about a single LDAP server.
You must provide a [server/serverName] section for each server you specify in the
[server] section. The value for Host identifies the IP address of the LDAP server, and
value for Port specifies the port used for LDAP communications. By default, any
LDAP server listens at port 389. The credentials used by Steel-Belted Radius/SPE to
bind to the LDAP server are specified in BindName and BindPassword. The SSL
value indicates whether an SSL connection is used for the RADIUS-
LDAP connection. If the last three mentioned parameters are not specified,
Steel-Belted Radius/SPE takes the configuration out of the [Settings] section.
[Server/s1]
Host=127.0.0.1
Port=389
BindName=cn=radius,ou=components,o=operators,o=umc
BindPassword=radius
SSL=0
[Server/s2]
Host=10.20.2.12
Port=389
[Server/s3]
Host=10.10.40.19
Port=389
[Search/name] Section
The referenced [Search/name] section includes the search filter, base object, scope,
and attribute list, which are included in the LDAP Search operation. If you reference
this section in the [Settings] section, the specified options are valid for all LDAP
directories. If you want to specify separate Search options for each LDAP directory,
you must reference this section in each [server/name] section. In the following
example, “DoLdapSearch” is used as name.
NOTE: This name is referenced in the [Settings] section.
Configuring LDAP Authentication ! 97
SDX 6.0.x Integration Guide
Because the SDX software uses the BindName authentication method, you must
ensure that the user’s password is included in the attribute list, referenced by the
attributes option. In the SDX software case, we would like to search only objects
where the LDAP attribute uid matches the specified username, and we therefore set
Filter=uid=. The location within the directory where the search is
started is specified in the Base variable. The SDX software for residential users uses
the base retailerName=default,o=Users,o=umc. The scope of the search is a
subtree search (Scope=2). The variable %DN is used for holding the distinguished
name of the LDAP search result. The attribute list is a reference to another section
of the ldapauth.aut file.
[Search/DoLdapSearch]
Base=retailerName=default,o=users,o=umc
Scope=2Filter=uid=
Attributes = AttrList
Timeout = 20
%DN = dn
For another authentication strategy, see Directed Authentication on page 101. This
strategy is more suited for cases where the service provider outsources services
from retailer ISPs.
[Attribute/name] Section
Within the [Attribute/name] section, the LDAP attributes are determined, which are
requested by the LDAP search. If the entry that matches the search filter contains
values of these attribute types, these values will be part of the search result; RADIUS
uses them in the values for checking and replying purposes. Again, the user
password attribute is mandatory in the BindName authentication method, which is
used in our case. The [Attribute/name] section looks like:
[Attributes/AttrList]
userPassword
uid
alternateCliAuthLevel
alternateCliVrouterName
ascendFilterCmd
atmMBS
atmPCR
atmSCR
atmServiceCategory
cliAllowAllVRAccess
cliInitialAccessLevel
egressPolicyName
egressStatistics
framedIpRouteTag
igmpEnable
ingressPolicyName
ingressStatistics
ipv6LocalInterface
ipv6PrimaryDNS
ipv6SecondaryDNS
ipv6VirtualRouter
localAddressPool
localInterface
pppoeDescription
98 ! Configuring LDAP Authentication
Chapter 9: Integrating Steel-Belted Radius/SPE
pppoeMaxSessions
pppoeUrl
qosProfileName
qosProfileInterfaceType
radiusChapPassword
radiusAcctInterimInterval
radiusCalledStationId
radiusCallingStationId
radiusConnectInfo
radiusFilterId
radiusFramedIPAddress
radiusFramedIPNetmask
radiusReplyMessage
radiusFramedProtocol
radiusFramedRoute
radiusFramedPool
radiusSessionTimeOut
radiusNASIdentifier
radiusNASIPAddress
radiusNASPort
radiusNASPortId
radiusNASPortType
radiusClass
radiusIdleTimeOut
radiusServiceType
redirectVRName
pppAuthenticateProtocol
pppPassword
pppUsername
primaryDNS
secondaryDNS
primaryWINS
saValidate
sdxServiceName
sessionVolumeQuota
secondaryWINS
serviceBundle
tunnelAssignmentID
tunnelClientEndPoint
tunnelClientAuthID
tunnelMaximumSessions
tunnelMediumType
tunnelNasPortMethod
tunnelPreference
tunnelTOS
tunnelType
tunnelServerEndPoint
tunnelServerAuthID
tunnelPassword
tunnelVirtualRouter
tunnelBearerType
tunnelDialoutNumber
tunnelInterfaceId
tunnelMaximumBps
tunnelMinimumBps
virtualRouterName
Configuring LDAP Authentication ! 99
SDX 6.0.x Integration Guide
[Request] Section
In the [Request] section, the incoming RADIUS attributes (from Access-Request)
must be determined and mapped to LDAP attributes. Steel-Belted Radius/SPE will
place these values in the variable table before moving on to the LDAP Bind and
Search requests as defined earlier.
[Request]
%UserName = User-Name
NAS-IP-Address = radiusNASIPAddress
NAS-Port = radiusNASPort
Service-Type = radiusServiceType
[Response] Section
The [Response] section tells Steel-Belted Radius/SPE what to do with the
information that it has retrieved from the incoming access request and from the
LDAP database. It completes the authentication and issues an access response to
the RADIUS client.
[Response]
%Password = userpassword
Acct-Interim-Interval = radiusAcctInterimInterval
Address-Pool-Name = localAddressPool
Alt-CLI-Auth-Level = alternateCliAuthLevel
Alt-CLI-Virtual-Router = alternateCliVrouterName
Atm-MBS = atmMBS
Atm-PCR = atmPCR
Atm-SCR = atmSCR
Atm-Service-Category = atmServiceCategory
Class = radiusClass
CLI-Allow-All-VR-Access = cliAllowAllVRAccess
CLI-Initial-Auth-Level = cliInitialAccessLevel
Egress-Policy-Name = egressPolicyName
Egress-Statistics = egressStatistics
Filter-Id = radiusFilterId
Framed-IP-Address = radiusFramedIPAddress
Framed-IP-Netmask = radiusFramedIPNetMask
Framed-Ip-Route-Tag = framedIpRouteTag
Framed-Pool = radiusFramedPool
Framed-Route = radiusFramedRoute
Idle-Timeout = radiusIdleTimeOut
Igmp-Enable = igmpEnable
Ingress-Policy-Name = ingressPolicyName
Ingress-Statistics = ingressStatistics
Ipv6-Virtual-Router = ipv6VirtualRouter
Ipv6-Local-Interface = ipv6LocalInterface
Ipv6-Primary-DNS = ipv6PrimaryDNS
Ipv6-Secondary-DNS = ipv6SecondaryDNS
Local-Loopback = localInterface
Ppp-Authenticate-Protocol = pppAuthenticateProtocol
Ppp-Password = pppPassword
Ppp-Username = pppUsername
Pppoe-Max-Sessions = pppoeMaxSessions
Pppoe-Url = pppoeUrl
Primary-DNS = primaryDNS
Primary-WINS = primaryWINS
100 ! Configuring LDAP Authentication
Chapter 9: Integrating Steel-Belted Radius/SPE
Qos-Profile-Interface-Type = qosProfileInterfaceType
Qos-Profile-Name = qosProfileName
Redirect-VR-Name = redirectVRName
Sa-Validate = saValidate
Sdx-Service-Name = sdxServiceName
Sdx-Session-Volume-Quota = sessionVolumeQuota
Secondary-DNS = secondaryDNS
Secondary-WINS = secondaryWINS
Service-Type = radiusServiceType
Service-Bundle = serviceBundle
Session-Timeout = radiusSessionTimeOut
Tunnel-Bearer-Type = tunnelBearerType
Tunnel-Dialout-Number = tunnelDialoutNumber
Tunnel-Interface-Id = tunnelInterfaceId
Tunnel-Maximum-Bps = tunnelMaximumBps
Tunnel-Minimum-Bps = tunnelMinimumBps
Tunnel-Assignment-ID = tunnelAssignmentID
Tunnel-Type = tunnelType
Tunnel-Maximum-Sessions = tunnelMaximumSessions
Tunnel-Medium-Type = tunnelMediumType
Tunnel-Nas-Port-Method = tunnelNasPortMethod
Tunnel-Server-Endpoint = tunnelServerEndPoint
Tunnel-Password = tunnelPassword
Tunnel-Preference = tunnelPreference
Tunnel-Tos = tunnelTOS
Tunnel-Virtual-Router = tunnelVirtualRouter
Virtual-Router-Name = virtualRouterName
Directed Authentication
Directed authentication is used when the service provider manages retailer ISPs.
This means that the service provider holds the ISP’s end-customer information in its
LDAP server, but is not responsible for the data. This data is stored in a separate
subtree within the LDAP server.
It is possible that unique identifiers exist in the retailer ISP realm, which might
already exist in the service provider realm, or in some other retailer ISP realm. This
authentication method allows you to set a different search base, based on the realm
name, which is submitted at login time.
Directed Authentication ! 101
SDX 6.0.x Integration Guide
Configuration Example
Consider an example where the ISP “Virneo” is handled within the service
provider’s LDAP directory. The service provider and the ISP agreed to use the realm
name virneo.com.
To configure directed authentication for this example, you would perform the
following steps:
1. Enable realm feature on the RADIUS server (setting parameter in radius.ini):
[Configuration]
ExtendedProxy = 1
2. Register the realm name with Steel-Belted Radius/SPE (setting parameter in
proxy.ini):
|[Directed]
virneo.com
3. Create a realm configuration file, called virneo.com.dir
NOTE: The filename must be identical to the realm name specified in the previous
step.
4. Register the authentication method (LDAP) with the realm (setting parameter in
isp1.com.dir):
[AuthMethods]
VIRNEO.COM
NOTE: The string specified in the [AuthMethods] section must be identical to the
LDAP initialization string from the to-be-created authentication file
(virneo.com.aut).
5. Enable directed authentication (setting parameter in virneo.com.dir) and strip
the realm name:
[Auth]
Enable = 1
StripRealm = 1
102 ! Directed Authentication
Chapter 9: Integrating Steel-Belted Radius/SPE
6. Enable directed accounting (setting parameter in isp1.net.dir):
[Acct]
Enable = 1
7. Define the LDAP configuration interface for directed authentication (creating
authentication file virneo.com.aut):
This step is identical to a step mentioned in the Configuring LDAP Authentication
section. The initialization string in the bootstrap section must be identical to the
authentication method, which is specified in virneo.com.dir. For example:
[Bootstrap]
LibraryName=ldapauth.so
Enable=1
InitializationString=VIRNEO.COM
Further details about the proxy configuration and directed realm configurations can
be found in the Steel-Belted Radius/SPE manuals.
Customizing the Authentication Log File
The SDX software requires that the RADIUS attribute Class be captured in the
accounting files. By default, Steel-Belted Radius/SPE does not include the Class
attribute in the accounting files. To accomplish the logging of Class, the file
account.ini within the server directory (/opt/UMC/SPE) must be modified. It requires
that “Class=” be added to the [Attributes] section:
[Attributes]
User-Name=
NAS-Port=
Framed-IP-Address=
Class=
RADIUS Client/Server Configuration
You must configure both the client and server to allow communication between the
RADIUS server (SPE 4.0) and the RADIUS clients (the JUNOSe router and the SAE).
RADIUS Server Configuration
The RADIUS server must be able to communicate with the RADIUS clients. The
RADIUS server must know the following information for all RADIUS clients
connected to the RADIUS server:
! IP address of the RADIUS client
! RADIUS shared secret to be exchanged between Steel-Belted Radius/SPE and
the client
! Model (vendor) of the RADIUS client
You perform these configurations by using the SDX Admin user interface.
Customizing the Authentication Log File ! 103
SDX 6.0.x Integration Guide
RADIUS Client Configuration
Each RADIUS client must be able to contact its RADIUS server. The RADIUS client
must know the following information to allow client/server communication:
! IP address of the RADIUS server
! The RADIUS shared secret to be exchanged between Steel-Belted Radius/SPE
and the client
! UDP ports on which the client sends and receives RADIUS authentication and
accounting packets. They must match with the server configuration.
The RADIUS client configuration of the JUNOSe router is described in the JUNOSe
Broadband Access Configuration Guide.
The RADIUS client configuration of the SAE is described in the SDX Installation and
Configuration Guide.
Administration User Interface
This Administration user interface is a Web-based GUI. You use this GUI to configure
the JUNOSe router and the SAE as RADIUS clients.
Each JUNOSe router and each SAE connected to a Steel-Belted Radius/SPE must be
configured as a RADIUS client.
If you have a Netscape browser installed in /opt/netscape, you must set the Netscape
environment variable MOZILLA_HOME=/opt/netscape to run Java applets.
After you launch the Netscape browser, chose the URL file
:///opt/UMC/SPE/radadmin/java/index.html. This file prompts you for authentication
credentials when you try to connect to the local server. By default, the username is
admin with the password radius.
104 ! RADIUS Client/Server Configuration
Chapter 9: Integrating Steel-Belted Radius/SPE
After a successful authentication, the Web-based GUI is displayed.
RADIUS Client/Server Configuration ! 105
SDX 6.0.x Integration Guide
To configure a JUNOSe router as a RAS client, select RAS Clients on the left-hand
side of the window and click Add; then enter the necessary information.
When Steel-Belted Radius/SPE is integrated with the SAE, the Steel-Belted
Radius/SPE must know that the SAE server is a RAS client. The SAE server requires
some JUNOSe specific attributes; therefore, it must be configured as a JUNOSe
RADIUS client.
106 ! RADIUS Client/Server Configuration
Chapter 9: Integrating Steel-Belted Radius/SPE
To specify the authentication method in the Radius Administration window, select
Configuration on the left-hand side of the screen. The methods Native User, Unix
User, and Unix Group must be deactivated. LDAP will be the only activated method.
RADIUS Client/Server Configuration ! 107
SDX 6.0.x Integration Guide
108 ! RADIUS Client/Server Configuration
Chapter 10
Integrating Merit RADIUS
Use the information in this chapter to integrate Merit AAA with JUNOSe routers.
Refer to the SDX release notes for information about compatibility of this SDX
release with Merit AAA 4.22E releases. The SDX software does not support the use
of RADIUS with JUNOS routing platforms.
This chapter contains the following sections:
! System Requirements on page 110
! Installing Merit AAA on page 110
! LDAP Features on page 110
! Configuring UDP Ports on page 111
! Starting and Stopping the RADIUS Server on page 112
! Extending Dictionary Files with JUNOSe Parameters on page 113
! Configuring LDAP Authentication on page 115
! Accounting Log File Format on page 119
! RADIUS Client/Server Configuration on page 120
! Testing the Merit AAA Server on page 121
Information about the simpler case of integrating the Merit AAA 4.22E server with
the JUNOSe router (without using the SDX software) is provided.
The SDX software can take advantage of a RADIUS server to authenticate against an
LDAP server, which is used to store subscriber and service information, among
other items.
NOTE: The Merit AAA 4.22E product is provided with the SDX software; all others
are third-party products. We recommend that the Merit AAA 4.22E RADIUS
solution be used for trial purposes only.
! 109
SDX 6.0.x Integration Guide
System Requirements
The following are the system requirements:
! Operating system—Solaris 8 or higher
! RAM—At least 64 MB of working memory
! Disk—Depends on external database support and storage time of the
accounting log files; at least 40 MB of hard-disk space
Installing Merit AAA
The Merit AAA 4.22E server package is part of the Service Deployment System
(SDX) CD and is called UMCradius. The installation procedure for the Merit AAA
4.22E for Solaris host is described in the SDX Software Basics Guide, Chapter 5,
Installing the SDX-300 Software.
If the Merit AAA 4.22E server is installed from the SDX Software CD, the dictionary
file is already extended by the JUNOSe-specific attributes.
LDAP Features
The Merit AAA server package is composed of functional building blocks called
authentication/authorization transfer vectors (AATVs). These AATVs perform a
specific function, such as UNIX password checking or authentication against an
LDAP directory.
LDAP authentication allows all user configurations to be done and stored in the
LDAP directory, eliminating the need to edit the server’s configuration files to
change user information. In addition to being a policy repository, the LDAP
directory also replaces the user’s file or the UNIX password file as the place to store
a user ID and password with higher performance when one is dealing with a large
number of users.
The ProLDAP AATV is an authentication AATV that performs two functions. First, it
checks the validity of the user’s ID and password. Second, if authentication is
successful, the AATV loads attribute value pairs into the aaaCheck-list, aaaDeny-list,
and aaaReply-list in the authentication request. The ProLDAP AATV uses a set of
asynchronous LDAP API functions that allow the ProLDAP to be a direct-type AATV.
Using a poll interface inside the AAA server engine, the main process is not blocked
by the ProLDAP AATV; therefore, the ProLDAP process does not create and run a
child process. The asynchronous LDAP API functions allow an LDAP search, for
example, to be sent out to a directory server without waiting for the search result to
come back. Later on, the owner of the search may poll the LDAP client to find out if
any result is available from the search.
110 ! System Requirements
Chapter 10: Integrating Merit RADIUS
The ProLDAP AATV is designed to work with different LDAP directory
configurations. The directory may be configured to either allow or not allow the
user password to be returned to the AAA server in an LDAP search. The ProLDAP
AATV may be configured to first try searching for the user in the directory. If the
password is returned, a password comparison is done to authenticate the user.
Otherwise, it will try to bind the user to the directory with the given password.
ProLDAP may be configured to do a bind or search operation, but only if the
directories are known to support those configurations.
Configuration of the LDAP search operations based on realms is described in
Configuring LDAP Authentication on page 115.
Configuring UDP Ports
The transaction-based RADIUS protocol uses two UDP ports: one for authentication
packets and one for accounting packets. The ports must be configured on two sides:
the Merit AAA server and the RADIUS clients (SDX software and JUNOSe router).
The officially assigned UDP port numbers are:
! 1812 for authentication
! 1813 for accounting
Early deployments of RADIUS used 1645/udp for authentication packets and
1646/udp for accounting packets.
The Merit AAA RADIUS server uses the latter ports by default, whereas the JUNOSe
router uses the official ports by default.
There are two possible ways to change these settings:
! You can change these defaults by editing your copy of the /etc/services file to
contain two entries for RADIUS authentication and accounting service that
specify the ports you wish to use. Add the following two lines to the /etc/services
file:
! radius 1812/udp # RADIUS Authentication
! radacct 1813/udp # RADIUS Accounting
! You can override all default and configured values at server start-up with the
radiusd -p and radiusd -q command line options. The SDX software installs the
Merit AAA server with a start script, called rad, which uses ports 1812 and 1813
for authentication and accounting (see next section).
Configuring UDP Ports ! 111
SDX 6.0.x Integration Guide
Starting and Stopping the RADIUS Server
We include a script for starting and stopping the RADIUS server. The filename of the
script is rad, and it is installed in the directory /opt/UMC/radius.
To start the Merit AAA server, change the directory to /opt/UMC/radius and start the
program by typing:
./rad start
During start-up, the RADIUS server binds to the LDAP server. This process requires
that the LDAP server be running before the RADIUS server is started.
The RADIUS daemon is automatically started whenever the Solaris host is started.
Stop the RADIUS server by typing:
./rad stop
The following command checks the status of the Merit AAA server:
./rad status
If you are using a Merit AAA server that is not supplied by Juniper Networks, you
can start the Merit server by launching the RADIUS daemon.
The syntax is as follows:
radiusd -d -da -dl -A
-q -f -pp -qq -g {'syslog' | 'logfile' | 'stderr'} -l -t -v -z -h
where:
! -a—Directory where to put accounting records
! -d—Directory of users, clients, authfile, dictionary, configuration files
! -da—Directory where the binary AATVs are
! -dl—Directory where the log files should go
! -f—Allows the user to specify an alternate finite state machine (FSM) table file
instead of the default radius.fsm file
! -g—Select logfile, syslog, or stderr logging
! -h—Displays this help syntax
! -n—New session table at start for LAS
! -p—Port number on which to listen for authentication requests
! -pp—Port number on which to relay authentication requests
112 ! Starting and Stopping the RADIUS Server
Chapter 10: Integrating Merit RADIUS
! -q—Port number on which to listen for accounting requests
! -qq—Port number on which to relay accounting requests
! -t—Inactivity timeout value (minutes)
! -v—Displays RADIUS version
Extending Dictionary Files with JUNOSe Parameters
In addition to supporting standard RADIUS attributes, the JUNOSe router supports
JUNOSe-specific attributes. These attributes must be introduced to the Merit AAA
server. It is necessary to use the RADIUS attributes for both Merit AAA
server–JUNOSe router integration and Merit AAA server–JUNOSe router–SDX
integration.
If you use the Merit AAA server package that we supply, you do not need to extend
the dictionary files, and you can proceed to the next section. If, however, you use a
another version of the Merit AAA server, you must extend the dictionary fileJ.
In such a case, move to the configuration directory of the Merit AAA installation,
and edit the dictionary file. Append the dictionary file by the JUNOSe-specific
attributes in the following way:
1. Access the directory in which you installed the Merit AAA installation.
cd /opt/UMC/radius
2. Open the radius.dct file.
3. At the end of the file, add the JUNOSe attributes in the following way.
# Juniper Networks Inc.
# E-series Extensions
Juniper.attr Virtual-Router-Name 1 string (1, 0, 0)
Juniper.attr Address-Pool-Name 2 string (1, 0, 0)
Juniper.attr Local-Loopback 3 string (1, 0, 0)
Juniper.attr Primary-DNS 4 ipaddr (1, 0, 0)
Juniper.attr Secondary-DNS 5 ipaddr (1, 0, 0)
Juniper.attr Primary-WINS 6 ipaddr (1, 0, 0)
Juniper.attr Secondary-WINS 7 ipaddr (1, 0, 0)
Juniper.attr Tunnel-Virtual-Router 8 string (1, 0, 0)
Juniper.attr Tunnel-Password 9 string (1, 0, 0)
Juniper.attr Ingress-Policy-Name 10 string (1, 0, 0)
Juniper.attr Egress-Policy-Name 11 string (1, 0, 0)
Juniper.attr Ingress-Statistics 12 integer (1, 0, 0)
Juniper.attr Egress-Statistics 13 integer (1, 0, 0)
Juniper.attr Atm-Service-Category 14 integer (1, 0, 0)
Juniper.attr Atm-PCR 15 integer (1, 0, 0)
Juniper.attr Atm-SCR 16 integer (1, 0, 0)
Juniper.attr Atm-MBS 17 integer (1, 0, 0)
Juniper.attr Cli-Initial-Access-Level 18 string (1, 0, 0)
Juniper.attr Cli-Allow-All-VR-Access 19 integer (1, 0, 0)
Juniper.attr Alternate-Cli-Access-Level 20 string (1, 0, 0)
Juniper.attr Alternate-Cli-Vrouter-Name 21 string (1, 0, 0)
Juniper.attr Sa-Validate 22 integer (1, 0, 0)
Extending Dictionary Files with JUNOSe Parameters ! 113
SDX 6.0.x Integration Guide
Juniper.attr Igmp-Enable 23 integer (1, 0, 0)
Juniper.attr Pppoe-Description 24 string (1, 0, 0)
Juniper.attr Redirect-VR-Name 25 string (1, 0, 0)
Juniper.attr Qos-Profile-Name 26 string (1, 0, 0)
Juniper.attr Pppoe-Max-Sessions 27 integer (1, 0, 0)
Juniper.attr Pppoe-Url 28 string (1, 0, 0)
Juniper.attr Qos-Profile-Interface-Type 29 integer (1, 0, 0)
Juniper.attr Tunnel-Nas-Port-Method 30 integer (1, 0, 0)
Juniper.attr Service-Bundle 31 string (1, 0, 0)
Juniper.attr Tunnel-Tos 32 integer (1, 0, 0)
Juniper.attr Tunnel-Maximum-Sessions 33 integer (1, 0, 0)
Juniper.attr Framed-Ip-Route-Tag 34 string (1, 0, 0)
Juniper.attr Tunnel-Dialout-Number 35 string (1, 0, 0)
Juniper.attr Ppp-Username 36 string (1, 0, 0)
Juniper.attr Ppp-Password 37 string (1, 0, 0)
Juniper.attr Ppp-Authenticate-Protocol 38 integer (1, 0, 0)
Juniper.attr Tunnel-Minimum-Bps 39 integer (1, 0, 0)
Juniper.attr Tunnel-Maximum-Bps 40 integer (1, 0, 0)
Juniper.attr Tunnel-Bearer-Type 41 integer (1, 0, 0)
Juniper.attr Input-Gigapkts 42 integer (1, 0, 0)
Juniper.attr Output-Gigapkts 43 integer (1, 0, 0)
Juniper.attr Tunnel-Interface-Id 44 string (1, 0, 0)
Juniper.attr Ipv6-Virtual-Router 45 string (1, 0, 0)
Juniper.attr Ipv6-Local-Interface 46 string (1, 0, 0)
Juniper.attr Ipv6-Primary-DNS 47 string (1, 0, 0)
Juniper.attr Ipv6-Secondary-DNS 48 string (1, 0, 0)
Juniper.attr Sdx-Service-Name 49 string (1, 0, 0)
Juniper.attr Sdx-Session-Volume-Quota 50 string (1, 0, 0)
Juniper.attr Tunnel-Disconnect-Cause-Info 51 string (1, 0, 0)
# Ingress-Statistics Values
Juniper.value Ingress-Statistics False 0
Juniper.value Ingress-Statistics True 1
# Egress-Statistics Values
Juniper.value Egress-Statistics False 0
Juniper.value Egress-Statistics True 1
# Atm-Service-Category Values
Juniper.value Atm-Service-Category UBR 1
Juniper.value Atm-Service-Category UBRPCR 2
Juniper.value Atm-Service-Category nrtVBR 3
Juniper.value Atm-Service-Category CBR 4
# Cli-Allow-All-VR-Access Values
Juniper.value Cli-Allow-All-VR-Access False 0
Juniper.value Cli-Allow-All-VR-Access True 1
# Sa-Validate Values
Juniper.value Sa-Validate False 0
Juniper.value Sa-Validate True 1
# Igmp-Enable Values
Juniper.value Igmp-Enable False 0
Juniper.value Igmp-Enable True 1
114 ! Extending Dictionary Files with JUNOSe Parameters
Chapter 10: Integrating Merit RADIUS
# Qos-Profile-Interface-Type Values
Juniper.value Qos-Profile-Interface-Type IP 1
Juniper.value Qos-Profile-Interface-Type ATM 2
Juniper.value Qos-Profile-Interface-Type HDLC 3
Juniper.value Qos-Profile-Interface-Type ETHERNET 4
Juniper.value Qos-Profile-Interface-Type SERVER-PORT 5
Juniper.value Qos-Profile-Interface-Type ATM-1483 6
Juniper.value Qos-Profile-Interface-Type FRAME-RELAY 7
Juniper.value Qos-Profile-Interface-Type MPLS-MINOR 8
Juniper.value Qos-Profile-Interface-Type CBF 9
Juniper.value Qos-Profile-Interface-Type IP-TUNNEL 10
Juniper.value Qos-Profile-Interface-Type VLAN-SUB 11
Juniper.value Qos-Profile-Interface-Type PPPOE-SUB 12
# Tunnel-Nas-Port-Method Values
Juniper.value Tunnel-Nas-Port-Method none 0
Juniper.value Tunnel-Nas-Port-Method CISCO-CLID 1
# Ppp-Authenticate-Protocol
Juniper.value Ppp-Authenticate-Protocol None 0
Juniper.value Ppp-Authenticate-Protocol PAP 1
Juniper.value Ppp-Authenticate-Protocol CHAP 2
Juniper.value Ppp-Authenticate-Protocol PAP-CHAP 3
Juniper.value Ppp-Authenticate-Protocol CHAP-PAP 4
# Tunnel-Bearer-Type
Juniper.value Tunnel-Bearer-Type None 0
Juniper.value Tunnel-Bearer-Type ANALOG 1
Juniper.value Tunnel-Bearer-Type DIGITAL 2
The next step defines the JUNOSe router as the network access server (NAS) to be
recognized by the Merit AAA server. This involves the extension of the vendor file.
The vendor file is located in /opt/UMC/radius/etc.
The vendor file contains a list of zero or more vendor entries. Each vendor entry
contains a vendor name and a vendor number. Each entry optionally contains an
interim way of mapping external (with respect to the RADIUS server) attribute
numbers to internal (with respect to the RADIUS server) vendor-specific attributes.
This optional mapping is used on RADIUS requests and responses. The following
lines must be added, where every line starting with the character “#” indicates a
comment:
# Juniper Networks Inc. extensions
ERX-VSA.attr ERX-VSA.value 4874 Juniper
Configuring LDAP Authentication
The SDX software assumes that all RADIUS authentications are performed against
the SDX LDAP directory. This section also applies to Merit AAA server integration
with an JUNOSe router if Merit AAA authenticates against an LDAP directory.
Integration of the JUNOSe-specific attributes, such as primary DNS, virtual router,
and others, must be performed, which is outlined in this section.
Configuring LDAP Authentication ! 115
SDX 6.0.x Integration Guide
Merit AAA Configuration
The Merit AAA server configuration for the ProLDAP AATV is done through the
authfile file, which is stored in the configuration directory /opt/UMC/radius/etc. You
must configure these tasks:
! How the Merit AAA server performs authentication
! Which external database is used for authentication, based on the realm name
Administrators must create a table in the authfile file for each realm name. Merit
AAA supports up to four LDAP directories, which could be used for authentication
for each realm.
realm PROLDAP description
{
Filter-Type bin | cis
Directory directory-1
{
Host dir1.host.com
Port port-number
Administrator directory-manager-dn
[Password directory-manager-password]
SearchBase realm-search-base-in-directory
Authenticate Auto | Bind | Search
}
...
}
where
! realm—Identifies the realm name that is used during PPP login
(username@realm). The special value NULL specifies treatment of any
incoming access request, where no realm name is submitted during the PPP
login.
! PROLDAP—Identifies that this table is valid for the ProLDAP-AATV.
! Filter-Type—Identifies treatment of the user ID. Valid values are either case
sensitive (bin) or not case sensitive (cis).
! Directory—Identifies the start of the directory section. Up to four directory
sections are supported per realm. If the value contains spaces or tabs, it must
be enclosed by either the double-quote or the single-quote character. Merit AAA
uses the round-robin method for those identified directories.
! Host—The value (fully qualified DNS name or IP address) identifies the LDAP
directory.
! Port—Identifies the port the LDAP server listens to.
! Administrator—DN that specifies the user entry AAA uses to log in against the
LDAP directory. The DN must be specified if Authenticate is set to search.
! SearchBase—DN that represents the start point of the LDAP search operation
for that realm.
116 ! Configuring LDAP Authentication
Chapter 10: Integrating Merit RADIUS
! Authenticate—Identifies how Merit AAA authenticates incoming access
requests. Valid values are:
! Auto—AAA performs a search as the configured administrator (searches
anonymously if no configured administrator), anticipating that the
password is in the result. It binds as the user if the password is not
available.
! Bind—AAA tries to bind with the user ID and password specified during the
PPP login.
! Search—AAA binds and performs search operation. LDAP returns the user
password, which is compared with the password submitted during the PPP
login.
NOTE: The SDX software uses the search option.
The following authfile example depicts the treatment of PPP logins without any
realms and with the realm name isp1.com:
# This is a realm entry for an LDAP Server with PROLDAP with NO Realm
#
NULL PROLDAP Default-Setting
{
Filter-Type BIN
Directory SDX
{
Host 123.45.3.1
Port 389
Administrator "cn=radius,ou=components,o=operators,o=umc"
Password "radius"
SearchBase "retailerName=default, o=users, o=umc"
Authenticate search
}
}
# This is a realm entry for two LDAP Server with PROLDAP with Realm isp1.com
#
virneo.com PROLDAP Virneo-Setting
{
Filter-Type BIN
Directory virneo
{
Host 245.3.4.5
Port 389
Administrator "cn=radius,ou=components,o=operators,o=umc"
Password "radius"
SearchBase "retailerName=SP,o=users,o=umc"
Authenticate search
}
Directory virneo-backup
{
Host 245.3.4.6
Port 389
Administrator "cn=radius,ou=components,o=operators,o=umc"
Password "radius"
SearchBase "retailerName=SP,o=users,o=umc"
Authenticate search
Configuring LDAP Authentication ! 117
SDX 6.0.x Integration Guide
After the installation of Merit AAA from the SDX CD-ROM, the NULL realm is
enabled by default.
Configuring RADIUS Profiles with the LDAP Directory
RADIUS servers search objects from the type umcRadiusPerson to authenticate
incoming PPP sessions. If RADIUS and JUNOSe-specific attributes must be returned
to the JUNOSe router during the authentication process, Merit AAA expects some
special AAA attributes:
! aaaReply—A response sent back from the server (for example, a session time
limit)
! aaaCheck—An attribute that must be present in the user entry for the entry to
evaluate as True
! aaaDeny—An attribute that must NOT be present in the user entry for the entry
to evaluate as True
These attributes are multivalued attributes containing the RADIUS attribute value
pairs to be processed by the Merit AAA server.
The following depicts a umcRadiusPerson object that returns the RADIUS attribute
values for Session-Timeout, Idle-Timeout, and Class and the JUNOSe-specific
attribute for the virtual router to be used on the JUNOSe router. This entry is shown
in Lightweight Data Interchange Format (LDIF) notation:
dn:serviceName=bras,uniqueID=jane,ou=local,retailerName=isp1,
o=Users,o=umc
objectClass: umcRadiusPerson
objectClass: umcServiceProfile
objectClass: top
uid: jane
userPassword: secret
serviceName: bras1
usedService: serviceName=bras,o=Services,o=umc
aaaReply: Virtual-Router-Name=Default
aaaReply: Class=1,uid,bras
aaaReply: Idle-Timeout=2700
aaaReply: Session-Timeout=10800
118 ! Configuring LDAP Authentication
Chapter 10: Integrating Merit RADIUS
Accounting Log File Format
It is important to know the format of the accounting log files as generated by the
RADIUS server. The following is an example of an accounting log file generated by
Merit AAA with:
! Some accounting activity coming from the JUNOSe RADIUS client (tracking the
activity of a PPP session)
! Some accounting activity coming from the SDX RADIUS client (a video service
being activated, then deactivated)
NOTE: The Merit AAA server that we supply supports interim accounting by
default.
Tue May 1 10:58:42 2001
Acct-Status-Type = Start
User-Name = "user1@isp1"
Event-Time = "May 1 2001"
Acct-Delay-Time = 0
NAS-Identifier = "OBIWAN"
Acct-Session-Id = "erx fastEthernet 3/1::0000022073"
NAS-IP-Address = 10.227.9.145
Service-Type = Framed
Framed-Protocol = PPP
Framed-IP-Address = 10.227.9.150
Framed-IP-Netmask = 255.255.255.255
Framed-Compression = None
NAS-Port-Type = 15
NAS-Port = 822083584
NAS-Port-Id = "fastEthernet 3/1:"
Ingress-Policy-Name = "unlim"
Acct-Authentic = RADIUS
User-Id = "user1"
User-Realm = "isp1"
Tue May 1 10:59:49 2001
Acct-Status-Type = Start
Acct-Delay-Time = 0
User-Name = "user1@isp1"
Acct-Session-Id = "sspServiceVideoG:user1:e634da23b6"
NAS-Identifier = "SSP.lion"
User-Id = "user1"
User-Realm = "isp1"
Tue May 1 11:07:25 2001
Acct-Status-Type = Stop
Acct-Delay-Time = 0
User-Name = "user1"
Acct-Session-Id = "sspServiceVideoG:user1:e634da23b6"
Acct-Input-Octets = 10681
Acct-Input-Gigawords = 0
Acct-Input-Packets = 94
Acct-Output-Octets = 0
Acct-Output-Gigawords = 0
Acct-Output-Packets = 0
Acct-Session-Time = 456
NAS-Identifier = "SSP"
User-Id = "user1"
Accounting Log File Format ! 119
SDX 6.0.x Integration Guide
User-Realm = ""
LAS-Start-Time = 988729189
LAS-Code = LAS-Notlocal
LAS-Duration = 456
RADIUS Client/Server Configuration
For the Merit AAA server and RADIUS clients (JUNOSe router and the SAE software)
to communicate, you must configure both the client and the server.
RADIUS Server Configuration
The RADIUS server must know how to talk to the RADIUS clients. The following
information about all RADIUS clients connected to the RADIUS server must be
known to the RADIUS server:
! IP address of the RADIUS client
! RADIUS shared secret to be exchanged between Merit AAA and the client
! Model (vendor) of the RADIUS client
Configure this information by editing the /opt/UMC/radius/etc/clients file. The client
file should look like the following:
#Client Name Key [type] [version] [prefix]
#---------------- -------------- --------------- ------- --------
# SSP Client 192.23.3.10 secret type=Juniper:NAS v1
# Juniper ERX node (Enable the Juniper extensions)
192.23.3.1 secret type=Juniper:NAS v1
RADIUS Client Configuration
Each RADIUS client must know how to contact its RADIUS server. The following
information is required for client/server communication:
! IP address of the RADIUS server
! RADIUS shared secret to be exchanged between the Merit AAA server and the
client
! UDP ports on which the client sends and receives RADIUS authentication and
accounting packets. They must match with the server configuration.
The RADIUS client configuration of the JUNOSe router is described in the JUNOSe
Broadband Access Configuration Guide.
The RADIUS client configuration of the SAE is described in the SDX Software Basics
Guide.
120 ! RADIUS Client/Server Configuration
Chapter 10: Integrating Merit RADIUS
Testing the Merit AAA Server
The Merit AAA installation from the SDX packages provides a script called tstrad for
testing the RADIUS setup. This script uses the Merit test-tool radpwtst. The test
script is located in the directory /opt/UMC/radius. To test the Merit AAA
configuration, change to the directory /opt/UMC/radius, and start the program by
typing:
./tstrad
where
—Specifies the string identifying the user during the PPP login; for
example, jane@isp1.com
—Specifies the user password submitted during the PPP login; for
example, ./tstrad jane@isp1.com secret
If the customer did not install the Merit software from the SDX package, use the
radpwst tool for testing the Merit AAA configuration by typing:
radpwtst -d -p -s -u -x -w
where
! -d—Directory of users, clients, authfile, dictionary, etc.
! -p—Port number on which to listen for authentication requests
! -s—IP address or fully qualified DNS name of the server hosting Merit AAA
! -u—Authentication type; always use ppp
! -x—Allows the user to turn on debugging output
! -w—Allows the user to provide a password on the command line and not be
prompted
The following example accomplishes the same as the tstrad script:
radpwst -d /opt/UMC/radius/etc -p 1812 -s 'hostname' -u ppp -x -w secret
jane@virneo.com
Testing the Merit AAA Server ! 121
SDX 6.0.x Integration Guide
122 ! Testing the Merit AAA Server
Chapter 11
Integrating RAD-Series RADIUS Server
Use the information in this chapter to integrate RAD-Series RADIUS server with
JUNOSe routers. Refer to the SDX release notes for information about compatibility
of this SDX release with RAD-Series RADIUS server releases. The SDX software does
not support the use of RADIUS with JUNOS routing platforms.
This chapter contains the following sections:
! System Requirements on page 124
! Installing the RAD-Series RADIUS Server on page 124
! LDAP Features on page 125
! Configuring UDP Ports on page 126
! Starting and Stopping RAD-Series Server Manager on page 126
! Extending Dictionary Files with JUNOSe Parameters on page 128
! Configuring LDAP Authentication on page 131
! Accounting Log File Format on page 137
! RADIUS Client/Server Configuration on page 138
! Testing the RAD-Series RADIUS Server on page 140
Information about the simpler case of integrating Interlink Networks RAD-Series
RADIUS Server with the JUNOSe router (without using the SDX software) is
provided.
The SDX software can take advantage of a RADIUS server to authenticate against an
LDAP server, which is used to store subscriber and service information, among
other items.
! 123
SDX 6.0.x Integration Guide
System Requirements
The following system requirements are recommended:
! Operating system—Sun Solaris 8 or Sun Solaris 9
! RAM—At least 128 MB of working memory
! Disk—Depends on external database support and storage time of the
accounting log files; at least 50 MB of hard-disk space
Installing the RAD-Series RADIUS Server
You will need the RAD-Series RADIUS Server software CD to complete this
procedure. You can acquire the software from Interlink Networks, Inc. See
http://www.interlinknetworks.com
To install the RAD-Series RADIUS Server software:
1. Log in as root.
2. Change the directory to the location where the installation binary is located.
Run the command:
sh RAD-Series.6.0.solaris.bin
The system asks for the product features to be installed. Select at least the
following features:
· RADIUS Binary Components
· RADIUS Configuration Files
· Server Manager
· Remote Control
3. Enter the binary directory. For example:
/opt/UMC/aaa
4. Enter the configuration directory. For example:
/opt/UMC/aaa/etc
5. When prompted, enter the data directory. For example:
/opt/UMC/aaa/var
6. Enter the documentation directory. For example:
/opt/UMC/aaa/doc
7. Enter the path where you want to install Tomcat. For example:
/opt/UMC/aaa/tomcat
124 ! System Requirements
Chapter 11: Integrating RAD-Series RADIUS Server
8. When prompted for the shared secret, type:
secret
9. When prompted for the test user password, type:
secret
10. When prompted for the Server Manager user, type:
admin
11. When prompted for the Server Manager password, type:
radius
When the installation is complete, the following lines appears:
Installation Complete
The software has been successfully installed to:
/opt/UMC/aaa
/opt/UMC/aaa/etc
/opt/UMC/aaa/var
/opt/UMC/aaa/tomcat
/opt/UMC/aaa/doc
12. To exit the installer, press .
NOTE: See the Interlink Networks RAD-Series RADIUS Server Getting Started Guide
for information about configuring the server and verifying the installation. The
document is located at: /opt/UMC/aaa/doc/doc/gstarted.pdf.
LDAP Features
The RAD-Series RADIUS Server package is composed of functional building blocks
called authentication/authorization transfer vectors (AATVs). These AATVs perform a
specific function, such as UNIX password checking or authentication against an
LDAP directory.
LDAP authentication allows all user configurations to be done and stored in the
LDAP directory, eliminating the need to edit the server’s configuration files to
change user information. In addition to being a policy repository, the LDAP
directory also replaces the user’s file or the UNIX password file as the place to store
a user ID and password with higher performance when one is dealing with a large
number of users.
LDAP Features ! 125
SDX 6.0.x Integration Guide
The ProLDAP AATV is an authentication AATV that performs two functions. First, it
checks the validity of the user’s ID and password. Second, if authentication is
successful, the AATV loads attribute value pairs into the aaaCheck-list, aaaDeny-list,
and aaaReply-list in the authentication request. The ProLDAP AATV uses a set of
asynchronous LDAP API functions that allow an LDAP search, for example, to be
sent out to a directory server without waiting for the search result to come back.
Later on, the owner of the search may poll the LDAP client to find out if any result is
available from the search.
The ProLDAP AATV is designed to work with different LDAP directory
configurations. The directory may be configured to either allow or not allow the
user password to be returned to the AAA server in an LDAP search. The ProLDAP
AATV may be configured to first try searching for the user in the directory. If the
password is returned, a password comparison is done to authenticate the user.
Otherwise, it will try to bind the user to the directory with the given password.
ProLDAP may be configured to do a bind or search operation, but only if the
directories are known to support those configurations.
Configuration of the LDAP search operations based on realms is described in
Configuring LDAP Authentication on page 131.
Configuring UDP Ports
The transaction-based RADIUS protocol uses two UDP ports: one for authentication
packets and one for accounting packets. The ports must be configured on two sides:
RAD-Series RADIUS Server and the RADIUS clients (SDX software and JUNOSe
router).
The officially assigned UDP port numbers are:
! 1812 for authentication
! 1813 for accounting
Early deployments of RADIUS used 1645/UDP for authentication packets and
1646/UDP for accounting packets.
Both RAD-Series RADIUS Server and the JUNOSe router use the official ports by
default. If you decide to use different ports for any reasons, you can change the port
after you start RAD-Series RADIUS Server. This procedure is described in the next
section.
Starting and Stopping RAD-Series Server Manager
To open RAD-Series Server Manager:
1. Start Tomcat by entering:
/opt/aaa/tomcat/bin/startup.sh
2. Enter the following URL into your Web browser:
http://:8080/aaa/index.html
126 ! Configuring UDP Ports
Chapter 11: Integrating RAD-Series RADIUS Server
3. When prompted for the Server Manager username, enter:
admin
4. When prompted for the Server Manager password, enter:
radius
NOTE: You must use the same administrator and password you supplied during
the installation.
5. From the navigation pane, click Administration.
The Administration pane appears.
To start or stop RAD-Series Server Manager, click the Start or Stop button. When
RAD-Series Server Manager is running, the bullet in the navigation pane turns
green. When RAD-Series Server Manager is not running, it is blue.
Starting and Stopping RAD-Series Server Manager ! 127
SDX 6.0.x Integration Guide
Changing the UDP Ports
To use different UDP ports other than the default ports described in the previous
section:
1. Click the Options button located to the right of the Start button.
The following pane appears.
2. Under UDP Ports, enter the new Authentication and Accounting port settings.
3. Click OK.
Extending Dictionary Files with JUNOSe Parameters
In addition to supporting standard RADIUS attributes, the JUNOSe router supports
JUNOSe-specific attributes. These attributes must be introduced to RAD-Series
RADIUS Server. It is necessary to use the RADIUS attributes for both RAD-Series
RADIUS Server–JUNOSe router integration and RAD-Series RADIUS Server–JUNOSe
router–SDX integration.
128 ! Extending Dictionary Files with JUNOSe Parameters
Chapter 11: Integrating RAD-Series RADIUS Server
The RAD-Series RADIUS Server package still uses the old Unisphere VSA in their
dictionary file. You must edit the dictionary file (located in /opt/aaa/etc) and replace
the Unisphere attributes with the following JUNOSe extensions:
# Juniper Networks Inc.
# E-series Extensions
Juniper.attr Virtual-Router-Name 1 string (1, 0, 0)
Juniper.attr Address-Pool-Name 2 string (1, 0, 0)
Juniper.attr Local-Loopback 3 string (1, 0, 0)
Juniper.attr Primary-DNS 4 ipaddr (1, 0, 0)
Juniper.attr Secondary-DNS 5 ipaddr (1, 0, 0)
Juniper.attr Primary-WINS 6 ipaddr (1, 0, 0)
Juniper.attr Secondary-WINS 7 ipaddr (1, 0, 0)
Juniper.attr Tunnel-Virtual-Router 8 string (1, 0, 0)
Juniper.attr Tunnel-Password 9 string (1, 0, 0)
Juniper.attr Ingress-Policy-Name 10 string (1, 0, 0)
Juniper.attr Egress-Policy-Name 11 string (1, 0, 0)
Juniper.attr Ingress-Statistics 12 integer (1, 0, 0)
Juniper.attr Egress-Statistics 13 integer (1, 0, 0)
Juniper.attr Atm-Service-Category 14 integer (1, 0, 0)
Juniper.attr Atm-PCR 15 integer (1, 0, 0)
Juniper.attr Atm-SCR 16 integer (1, 0, 0)
Juniper.attr Atm-MBS 17 integer (1, 0, 0)
Juniper.attr Cli-Initial-Access-Level 18 string (1, 0, 0)
Juniper.attr Cli-Allow-All-VR-Access 19 integer (1, 0, 0)
Juniper.attr Alternate-Cli-Access-Level 20 string (1, 0, 0)
Juniper.attr Alternate-Cli-Vrouter-Name 21 string (1, 0, 0)
Juniper.attr Sa-Validate 22 integer (1, 0, 0)
Juniper.attr Igmp-Enable 23 integer (1, 0, 0)
Juniper.attr Pppoe-Description 24 string (1, 0, 0)
Juniper.attr Redirect-VR-Name 25 string (1, 0, 0)
Juniper.attr Qos-Profile-Name 26 string (1, 0, 0)
Juniper.attr Pppoe-Max-Sessions 27 integer (1, 0, 0)
Juniper.attr Pppoe-Url 28 string (1, 0, 0)
Juniper.attr Qos-Profile-Interface-Type 29 integer (1, 0, 0)
Juniper.attr Tunnel-Nas-Port-Method 30 integer (1, 0, 0)
Juniper.attr Service-Bundle 31 string (1, 0, 0)
Juniper.attr Tunnel-Tos 32 integer (1, 0, 0)
Juniper.attr Tunnel-Maximum-Sessions 33 integer (1, 0, 0)
Juniper.attr Framed-Ip-Route-Tag 34 string (1, 0, 0)
Juniper.attr Tunnel-Dialout-Number 35 string (1, 0, 0)
Juniper.attr Ppp-Username 36 string (1, 0, 0)
Juniper.attr Ppp-Password 37 string (1, 0, 0)
Juniper.attr Ppp-Authenticate-Protocol 38 integer (1, 0, 0)
Juniper.attr Tunnel-Minimum-Bps 39 integer (1, 0, 0)
Juniper.attr Tunnel-Maximum-Bps 40 integer (1, 0, 0)
Juniper.attr Tunnel-Bearer-Type 41 integer (1, 0, 0)
Juniper.attr Input-Gigapkts 42 integer (1, 0, 0)
Juniper.attr Output-Gigapkts 43 integer (1, 0, 0)
Juniper.attr Tunnel-Interface-Id 44 string (1, 0, 0)
Juniper.attr Ipv6-Virtual-Router 45 string (1, 0, 0)
Juniper.attr Ipv6-Local-Interface 46 string (1, 0, 0)
Juniper.attr Ipv6-Primary-DNS 47 string (1, 0, 0)
Juniper.attr Ipv6-Secondary-DNS 48 string (1, 0, 0)
Juniper.attr Sdx-Service-Name 49 string (1, 0, 0)
Juniper.attr Sdx-Session-Volume-Quota 50 string (1, 0, 0)
Juniper.attr Tunnel-Disconnect-Cause-Info 51 string (1, 0, 0)
Extending Dictionary Files with JUNOSe Parameters ! 129
SDX 6.0.x Integration Guide
# Ingress-Statistics Values
Juniper.value Ingress-Statistics False 0
Juniper.value Ingress-Statistics True 1
# Egress-Statistics Values
Juniper.value Egress-Statistics False 0
Juniper.value Egress-Statistics True 1
# Atm-Service-Category Values
Juniper.value Atm-Service-Category UBR 1
Juniper.value Atm-Service-Category UBRPCR 2
Juniper.value Atm-Service-Category nrtVBR 3
Juniper.value Atm-Service-Category CBR 4
# Cli-Allow-All-VR-Access Values
Juniper.value Cli-Allow-All-VR-Access False 0
Juniper.value Cli-Allow-All-VR-Access True 1
# Sa-Validate Values
Juniper.value Sa-Validate False 0
Juniper.value Sa-Validate True 1
# Igmp-Enable Values
Juniper.value Igmp-Enable False 0
Juniper.value Igmp-Enable True 1
# Qos-Profile-Interface-Type Values
Juniper.value Qos-Profile-Interface-Type IP 1
Juniper.value Qos-Profile-Interface-Type ATM 2
Juniper.value Qos-Profile-Interface-Type HDLC 3
Juniper.value Qos-Profile-Interface-Type ETHERNET 4
Juniper.value Qos-Profile-Interface-Type SERVER-PORT 5
Juniper.value Qos-Profile-Interface-Type ATM-1483 6
Juniper.value Qos-Profile-Interface-Type FRAME-RELAY 7
Juniper.value Qos-Profile-Interface-Type MPLS-MINOR 8
Juniper.value Qos-Profile-Interface-Type CBF 9
Juniper.value Qos-Profile-Interface-Type IP-TUNNEL 10
Juniper.value Qos-Profile-Interface-Type VLAN-SUB 11
Juniper.value Qos-Profile-Interface-Type PPPOE-SUB 12
# Tunnel-Nas-Port-Method Values
Juniper.value Tunnel-Nas-Port-Method none 0
Juniper.value Tunnel-Nas-Port-Method CISCO-CLID 1
# Ppp-Authenticate-Protocol
Juniper.value Ppp-Authenticate-Protocol None 0
Juniper.value Ppp-Authenticate-Protocol PAP 1
Juniper.value Ppp-Authenticate-Protocol CHAP 2
Juniper.value Ppp-Authenticate-Protocol PAP-CHAP 3
Juniper.value Ppp-Authenticate-Protocol CHAP-PAP 4
130 ! Extending Dictionary Files with JUNOSe Parameters
Chapter 11: Integrating RAD-Series RADIUS Server
# Tunnel-Bearer-Type
Juniper.value Tunnel-Bearer-Type None 0
Juniper.value Tunnel-Bearer-Type ANALOG 1
Juniper.value Tunnel-Bearer-Type DIGITAL 2
The next step defines the JUNOSe router as the network access server (NAS) to be
recognized by RAD-Series RADIUS Server. This step involves the extension of the
vendor file. The vendor file is located in /opt/aaa/etc.
The vendor file contains a list of zero or more vendor entries. Each vendor entry
contains a vendor name and a vendor number. Each entry optionally contains an
interim way of mapping external (with respect to the RADIUS server) attribute
numbers to internal (with respect to the RADIUS server) vendor-specific attributes.
This optional mapping is used on RADIUS requests and responses. Again,
RAD-Series RADIUS Server still uses the Unisphere Networks extension. Edit the
vendors file and replace Unisphere with Juniper. Keep in mind that the ID should
remain at 4874.
These modified lines should look like the following:
# Juniper Networks
Juniper.attr Juniper.value 4874 Juniper
Configuring LDAP Authentication
The SDX software assumes that all RADIUS authentications are performed against
the SDX LDAP directory. This section also applies to RAD-Series Server integration
with an JUNOSe router if RAD-Series RADIUS Server authenticates against an LDAP
directory.
RAD-Series Server Manager Configuration
The RAD-Series Server Manager configuration for the ProLDAP AATV is done
through the authfile file, which is stored in the configuration directory /opt/aaa/etc.
The configuration can be performed either manually by editing the authfile or
through the Administration panes of RAD-Series Server Manager. The following
methods are to be configured:
! How RAD-Series RADIUS Server authenticates
! Which external database is used for authentication, based on the realm name
Configuring LDAP Authentication ! 131
SDX 6.0.x Integration Guide
Administrators must create a table in the authfile file for each realm name.
realm PROLDAP description
{
Filter-Type bin | cis
Directory directory-1
{
Host dir1.host.com
Port port-number
Administrator directory-manager-dn
[Password directory-manager-password]
SearchBase realm-search-base-in-directory
Authenticate Auto | Bind | Search
}
...
}
where
! realm—Identifies realm name, which is used during PPP login
(username@realm). The special-value NULL specifies treatment of any incoming
access request, where no realm name is submitted during the PPP login.
! PROLDAP—Identifies that this table is valid for the ProLDAP AATV.
! Filter-Type—Identifies the treatment of the user ID. Valid values are either case
sensitive (bin) or not case sensitive (cis).
! Directory—Identifies the start of the directory section. Up to four directory
sections are supported per realm. If the value contains spaces or tabs, it must
be enclosed by either the double-quote or the single-quote character.
RAD-Series RADIUS Server uses the round-robin method for those identified
directories.
! Host—The value (fully qualified DNS name or IP address) identifies the LDAP
directory.
! Port—Identifies the port the LDAP server listens to.
! Administrator—DN, which specifies the user entry that RAD-Series RADIUS
Server uses to log in against the LDAP directory. This must be specified if
Authenticate is set to Search.
132 ! Configuring LDAP Authentication
Chapter 11: Integrating RAD-Series RADIUS Server
! SearchBase—DN, which represents the starting point of the LDAP search
operation for that realm.
! Authenticate—Identifies how RAD-Series RADIUS Server authenticates
incoming access-requests. Valid values are:
! Auto—RAD-Series RADIUS Server performs a search as the configured
administrator (search anonymously if no configured administrator),
anticipating that the password is in the result. It binds as the user if the
password is not available.
! Bind—RAD-Series RADIUS Server tries to bind with the user ID and
password, specified during the PPP login.
! Search—RAD-Series RADIUS Server binds and performs a search
operation. LDAP returns the user password, which is compared with the
submitted password during the PPP login.
NOTE: The SDX software uses the search option.
Configuring LDAP Authentication ! 133
SDX 6.0.x Integration Guide
The following authfile example depicts the treatment of PPP logins without any
realms and with the realm name isp1.com.
# This is a realm entry for an LDAP Server with PROLDAP with NO Realm
#
NULL PROLDAP Default-Setting
{
Filter-Type BIN
Directory SSC
{
Host 123.45.3.1
Port 389
Administrator "cn=umcadmin, o=umc"
Password "umc"
SearchBase "retailerName=default, o=users, o=umc"
Authenticate search
}
}
# This is a realm entry for two LDAP Server with PROLDAP with Realm isp1.com
#
virneo.com PROLDAP Virneo-Setting
{
Filter-Type BIN
Directory virneo
{
Host 245.3.4.5
Port 389
Administrator "cn=umcadmin, o=umc"
Password "umc"
SearchBase "retailerName=SP, o=users, o=umc"
Authenticate search
}
Directory virneo-backup
{
Host 245.3.4.6
Port 389
Administrator "cn=umcadmin, o=umc"
Password "umc"
SearchBase "retailerName=SP, o=users, o=umc"
Authenticate search
134 ! Configuring LDAP Authentication
Chapter 11: Integrating RAD-Series RADIUS Server
Configuring Realm Administration
The RAD-Series Server Manager allows you to perform realm administration.
To configure realm administration:
1. From the RAD-Series Server Manager navigation pane, click Edit Configuration
and Local Realms.
2. Click on the New Local Realm link.
The Local Realms: Modify Local Realm pane appears.
3. Specify the realm attributes.
4. Click Modify.
Configuring LDAP Authentication ! 135
SDX 6.0.x Integration Guide
Configuring LDAP Settings
To configure the LDAP settings:
1. Select New LDAP Directory.
The LDAP Directory window appears.
2. Specify the attributes.
3. Click Save.
Configuration of RADIUS Profiles with the LDAP Directory
RADIUS servers search objects from the type umcRadiusPerson to authenticate
incoming PPP sessions. If RADIUS and JUNOSe-specific attributes must be returned
to the JUNOSe router during the authentication process, RAD-Series RADIUS Server
expects some special AAA attributes:
! aaaReply—A response sent back from the server (for example, a session time
limit)
! aaaCheck—An attribute that must be present in the user entry for the entry to
evaluate as True
! aaaDeny —An attribute that must NOT be present in the user entry for the
entry to evaluate as True
These attributes are multivalued attributes containing the RADIUS attribute value
pairs to be processed by RAD-Series RADIUS Server.
136 ! Configuring LDAP Authentication
Chapter 11: Integrating RAD-Series RADIUS Server
The following example depicts a umcRadiusPerson object, which returns the
RADIUS attribute values for Session-Timeout, Idle-Timeout, and Class and the
JUNOSe-specific attribute for the virtual router to be used on the JUNOSe router.
This entry is shown in LDIF notation:
dn:serviceName=bras,uniqueID=jane,ou=local,retailerName=isp1,o=Users,
o=umc
objectClass: umcRadiusPerson
objectClass: umcServiceProfile
objectClass: top
uid: jane
userPassword: secret
serviceName: bras1
usedService: serviceName=bras,o=Services,o=umc
aaaReply: Virtual-Router-Name=Default
aaaReply: Class=1,uid,bras
aaaReply: Idle-Timeout=2700
aaaReply: Session-Timeout=10800
Accounting Log File Format
The following is an example of an accounting log file generated by the RAD-Series
RADIUS Server with:
! Some accounting activity coming from the JUNOSe RADIUS client (tracking the
activity of a PPP session).
! Some accounting activity coming from the SDX RADIUS client (a video service
being activated, then deactivated).
Tue May 1 10:58:42 2001
Acct-Status-Type = Start
User-Name = "user1@isp1"
Event-Time = "May 1 2001"
Acct-Delay-Time = 0
NAS-Identifier = "OBIWAN"
Acct-Session-Id = "erx fastEthernet 3/1::0000022073"
NAS-IP-Address = 10.227.9.145
Service-Type = Framed
Framed-Protocol = PPP
Framed-IP-Address = 10.227.9.150
Framed-IP-Netmask = 255.255.255.255
Framed-Compression = None
NAS-Port-Type = 15
NAS-Port = 822083584
NAS-Port-Id = "fastEthernet 3/1:"
Ingress-Policy-Name = "unlim"
Acct-Authentic = RADIUS
User-Id = "user1"
User-Realm = "isp1"
Tue May 1 10:59:49 2001
Acct-Status-Type = Start
Acct-Delay-Time = 0
User-Name = "user1@isp1"
Acct-Session-Id = "sspServiceVideoG:user1:e634da23b6"
NAS-Identifier = "SSP.lion"
User-Id = "user1"
User-Realm = "isp1"
Accounting Log File Format ! 137
SDX 6.0.x Integration Guide
Tue May 1 11:07:25 2001
Acct-Status-Type = Stop
Acct-Delay-Time = 0
User-Name = "user1"
Acct-Session-Id = "sspServiceVideoG:user1:e634da23b6"
Acct-Input-Octets = 10681
Acct-Input-Gigawords = 0
Acct-Input-Packets = 94
Acct-Output-Octets = 0
Acct-Output-Gigawords = 0
Acct-Output-Packets = 0
Acct-Session-Time = 456
NAS-Identifier = "SSP"
User-Id = "user1"
User-Realm = ""
LAS-Start-Time = 988729189
LAS-Code = LAS-Notlocal
LAS-Duration = 456
RADIUS Client/Server Configuration
For RAD-Series RADIUS Server and RADIUS clients (JUNOSe router and the SAE
software) to communicate, you must configure both the client and the server.
RADIUS Server Configuration
The RADIUS server must know how to talk to the RADIUS clients. The following
information about all RADIUS clients connected to the RADIUS server must be
known to the RADIUS server:
! IP address of the RADIUS client
! RADIUS shared secret to be exchanged between RAD-Series RADIUS Server
and the client
! Model (vendor) of the RADIUS client
138 ! RADIUS Client/Server Configuration
Chapter 11: Integrating RAD-Series RADIUS Server
Although the Administration panes allow you to create new clients, we recommend
that you edit the /opt/aaa/etc/clients file when creating new access devices. The
client file should resemble the following:
#Client Name Key [type] [version] [prefix]
#---------------- --------------- --------------- --------- --------
# SAE Client 192.23.3.10 secret type=Juniper:NAS v1
# Juniper ERX node (Enable the Juniper extensions)
192.23.3.1 secret type=Juniper:NAS v1
NOTE: The Administration panes do use Juniper in the vendor list. Without
changing some html files, the creation of the Juniper RADIUS client will not work
when you use the Administration panes.
RADIUS Client Configuration
Each RADIUS client must know how to contact its RADIUS server. The following
information is required for client/server communication:
! IP address of the RADIUS server
! RADIUS shared secret to be exchanged between RAD-Series RADIUS Server
and the RADIUS client
! UDP ports on which the RADIUS client sends and receives RADIUS
authentication and accounting packets. The ports must match the server
configuration.
The RADIUS client configuration of the JUNOSe router is described in the JUNOSe
Broadband Access Configuration Guide.
RADIUS Client/Server Configuration ! 139
SDX 6.0.x Integration Guide
Testing the RAD-Series RADIUS Server
You can test the RAD-Series RADIUS Server installation by using the radpwst tool.
This tool is located in the /opt/aaa/bin directory and has the following syntax:
radpwtst -d -p -s -u
-x -w
where
! -d—Directory of users, clients, authfile, dictionary, etc. Configuration files
! -p—Port number to listen for auth requests on
! -s—IP Address or fully qualified DNS name of server, hosting RAD-Series
RADIUS Server
! -u—Authentication-Type, always use ppp
! -x—Allows the user to turn on debugging output
! -w—Allows the user to provide a password on the command line and not be
prompted
Include the /opt/aaa/lib path in your LD_LIBRARY_PATH environment.
You can test your setup by typing:
/opt/aaa/bin/radpwst -d /opt/aaa/etc -p 1812 -s 'hostname' -u ppp -x -w secret
jane@virneo.com
140 ! Testing the RAD-Series RADIUS Server
Chapter 12
RADIUS Authorization and Accounting
and Flat File Accounting
This chapter provides basic information for RADIUS authorization and accounting,
and flat file accounting.
This chapter contains the following sections:
! RADIUS Authorization on page 141
! RADIUS Accounting on page 141
! Flat File Accounting on page 144
RADIUS Authorization
RADIUS authorization controls access to network services and applications, where
attributes from an access request can be checked for existence in the directory.
Furthermore, attributes that are included in the Access-Accept package can be used
for provisioning.
Whenever the RADIUS server receives an access request from the JUNOSe router or
SAE, RADIUS queries the directory for RADIUS profiles. If all the parameters
included in the access request are fulfilled, RADIUS sends an Access-Accept
message to the JUNOSe router or the SAE, which might include all specified RADIUS
parameters from the RADIUS profile stored in the directory. These parameters can
be used to provision the JUNOSe router.
RADIUS Accounting
RADIUS accounting is used to send accounting information to the RADIUS
accounting server. Accounting information is sent to the server when a subscriber
logs in or logs out and when a subscriber activates or deactivates a subscription.
Both the JUNOSe router and the SAE send accounting information to the RADIUS
accounting server. The JUNOSe router includes accounting information for all
Broadband Remote Access Service (B-RAS) sessions. The SAE sends the RADIUS
attributes listed in Table 8 to the RADIUS accounting server. These attributes are
used to log subscriber sessions with activated SAE services. Table 9 contains a
detailed description of the NAS-Port-Id attribute of the JUNOSe router for various
interface types.
RADIUS Authorization ! 141
SDX 6.0.x Integration Guide
Table 8: RADIUS Accounting Attributes
RADIUS Accounting
Attribute Notes
User-Id The values are:
! login-name
! accounting-id
! auth-user-name
! manager-id
We provide flexible RADIUS plug-ins that you can use to define which attributes are
used and which values are provided. See SDX Components Guide, Vol. 1, Chapter 5,
Configuring Authorization and Tracking Plug-Ins.
Terminate-Cause User-Request, Lost-Carrier (PPP hangup), Idle-Timeout, Session-Timeout, Admin-Reset
Lost-Carrier is used when the transport interface goes down or when a DHCP lease
expires.
User-Request is sent only when the session was terminated through an API call
(deactivate session or user logout, but not a PPP logout). This includes scheduled
deactivation.
Admin-Reset is sent when a service session is terminated because of updates of the
directory data (for example, when a service definition has changed).
Framed-Ip-Address User IP address
Event-Time Number of seconds since Jan-1, 1970 00:00 UTC
The RADIUS server you are using may present this value differently.
Class From service definition
Acct-Session-Id Identification of user and service sessions. The Acct-Session-Id is included in all
accounting and authorization events for the same session and can be used to correlate
the events.
Multi-Session-Id For PPP subscriber sessions, the session ID assigned by the JUNOSe router.
NAS-Port-ID SDX software takes the NAS-Port-ID attribute from the JUNOSe router via COPS-PR and
prepends:
@ _
This attribute contains the full router name, space character, and the NAS-Port-Id
attribute as received from the ERX for this interface. Example:
default@erx123 FastEthernet 3/0
NOTE: See Table 9 for a description of the NAS-Port-Id attribute for various interface
types.
NAS-Identifier Identification of SAE server
Acct-Input-Octets ! Used in Interim and Stop requests, but for service sessions only.
! Provided only for services with accounting policy rules.
Acct-Output-Octets ! Used in Interim and Stop requests, but for service sessions only.
! Provided only for services with accounting policy rules.
Acct-Input-Gigawords ! Used in Interim and Stop requests, but for service sessions only.
! Provided only for services with accounting policy rules.
Acct-Output-Gigawords ! Used in Interim and Stop requests, but for service sessions only.
! Provided only for services with accounting policy rules.
142 ! RADIUS Accounting
Chapter 12: RADIUS Authorization and Accounting and Flat File Accounting
Table 8: RADIUS Accounting Attributes (continued)
RADIUS Accounting
Attribute Notes
Acct-Input-Packets ! Used in Interim and Stop requests, but for service sessions only.
! Provided only for services with accounting policy rules.
Acct-Output-Packets ! Used in Interim and Stop requests, but for service sessions only.
! Provided only for services with accounting policy rules.
Acct-Session-Time Used only in Stop requests; time specified in seconds.
Acct-Status-Type 1 [Start], 2 [Stop], 3 [Interim-Update], 7 [Accounting-On], or 8 [Accounting-Off]
The RADIUS server you are using may present these values differently.
Acct-Delay-Time Number of seconds since first try to send data
NOTE: The SAE sends a RADIUS Stop request when a service session is stopped. If
the policies associated with the service define accounting rules, the SAE retrieves
volume data from the router and sends the data in the Stop request. Note that
errors in communication with the router (e.g., broken connection) may prevent
the SAE from retrieving the volume data. If such an error happens, the SAE sends
a Stop record where the volume counters are set to zero. If an interim update for
the same service session exists, which includes nonzero volume counters, we
recommend that you use this interim update instead of the final accounting.
Table 9: Description of NAS-Port-Id Attribute for Various Interface Types
Interface Type Interface Format Example
ATM 1483 erx atm /.:. host1 atm 0/1.20 22 10
FastEthernet erx fastEthernet/[.[ [sub-vlan>]]] host1 fastEth 3/2.6.20
GigibitEthernet erx gigabitEthernet/[.[[sub-vlan>]]] host1 gigabitEth 3/2.6.20
Serial erx serial /[:[/ host1 path 2 ds1 1/7/4
[/]]] channel-group 1 timeslots
1-5
LNS ip:local ip:peer ip:local tid:peer tid:local sid:peer sid:call serial number
GRE erx gre host1 tunnel gre:boston
DVMRP erx dvmrp host1 tunnel
dvmrp:chicago
The SDX software provides RADIUS accounting that conforms to RFC
2866—RADIUS Accounting. SDX software Release 4.1.x supports three RADIUS
packages: Merit AAA Server 4.22E, Steel-Belted Radius Service Provider Edition
(SPE) Release 4.0 from Funk Software, and RAD-Series RADIUS Server version 6.0
from Interlink Networks. The format of the generated accounting log file differs in
these RADIUS packages. The accounting log file formats are described in the
appropriate chapters in this guide.
RADIUS Accounting ! 143
SDX 6.0.x Integration Guide
Flat File Accounting
The SAE includes a default plug-in for writing accounting information to local files
directly. The format of the local file is line oriented, where each accounting record is
written to a single line and the values of each accounting record are separated by
commas.
The attributes that are included in the file and their order can be configured. An
exception is the first attribute, Accounting_status, which determines the type of the
accounting record and is always the first attribute.
The first line of each accounting file contains the comma-separated list of attribute
names.
Table 10 lists the available attributes.
Table 10: RADIUS Accounting Flat File Attributes
RADIUS Accounting Attribute Notes
Accounting_status Values are start, stop, or interim
User_IP_Address IP address of client
Accounting_ID Accounting ID, configured in subscriber entry in the directory
Login_Name User ID provided at login time
Auth_User_ID User ID used for service authentication
Terminate_Cause User-Request, Lost-Service (PPP hangup), Idle-Timeout, Session-Timeout, Admin-Reset
Radius_Class Derived from service definition
If_Radius_Class For PPP subscriber sessions, the RADIUS class attribute assigned to the PPP interface
Service_Name Name of SAE service
Service_Scope Name of service scope (virtual router in SDX software Release 3.1)
Event_Time Timestamp
Session_ID Unique identifier for user and service sessions
If-Session_ID For PPP subscriber sessions, the session ID assigned by the JUNOSe router
Port_ID Identification of subscriber interface
Interface_Alias Alternate name of interface (CLI interface description)
Interface_Descr Name of IP interface, format: IP /[.
Nasid Identification of JUNOSe router for accounting
NAS_IP IP address of JUNOSe router
SAE_HOST Hostname of SAE server
In_Octets Number of octets received from user
Out_Octets Number of octets sent to user
In_Packets Number of IP packets received from user
Out_Packets Number of IP packets sent to user
Session_Time Length of session in seconds
144 ! Flat File Accounting
Index
Index Key system management .................................................73
SPE – Steel-Belted Radius/SPE UmcConfiguration .....................................................70
RAD – RAD-Series AAA RADIUS Server umcRadius Person.....................................................71
Merit – Merit AAA 4.22E umcUser ....................................................................71
user class...................................................................68
DirX – DirX Directory Server
user subtree...............................................................76
Sun – Sun ONE Directory Server
workflow subtree.......................................................75
access rights, generic ........................................................78
Numerics access.cp flat file (DirX).....................................................42
99umcschema.ldif (Sun) ...................................................36 accounting log file
Merit........................................................................119
A RAD.........................................................................137
aaaCheck SPE..........................................................................103
Merit................................................................110, 118 accounting records..........................................................144
RAD.........................................................................136 Acct-Delay-Time..............................................................143
aaaDeny Acct-Input-Gigawords ......................................................142
Merit................................................................110, 118 Acct-Input-Octets ............................................................142
RAD.................................................................126, 136 Acct-Input-Packets...........................................................143
aaaReply Acct-Output-Gigawords....................................................142
Merit................................................................110, 118 Acct-Output-Octets..........................................................142
RAD.................................................................126, 136 Acct-Output-Packets ........................................................143
access control information Acct-Session-Id................................................................142
DirX...........................................................................42 Acct-Session-Time ...........................................................143
Sun............................................................................37 Acct-Status-Type..............................................................143
access control scheme ................................................67–82 aci attribute (Sun) .............................................................37
activating access add-on package, LDIF file (Sun).........................................37
operator .............................................................77 Administration user interface (SPE).................................104
subscription operator .........................................77 administrative access........................................................76
administrative access ................................................76 Admin-Reset ...................................................................142
binding......................................................................69 applications, SDX on CD .................................................. xiii
cachedAuthentication profile .....................................70 archiving
common access rights ...............................................78 DirX database............................................................64
directories .................................................................68 Sun ONE database .....................................................65
directory entries ........................................................67 attribute types...................................................................20
directory-specific .......................................................79 attribute value pairs
DirX...........................................................................79 Merit................................................................110, 118
LDAP .........................................................................80 RAD.........................................................................126
lock subtree...............................................................73 Attribute/name section, LDAP authentication (SPE)...........98
mutex group objects..................................................75 attributes
Netscape/iPlanet Directory Server .............................81 AAA
network subtree ........................................................74 Merit ................................................................118
parameter subtree .....................................................72 RAD..................................................................136
permissions ...............................................................68 alphabetical list..........................................................24
policy subtree ............................................................72 index configuration
RADIUS profile ..........................................................71 DirX ...................................................................43
service, policy, and global parameter objects ............76 Sun.....................................................................37
sspServiceProfile .......................................................70 JUNOSe-specific
subscriber, retailer, and service profiles ....................74 integration..................................................95, 115
substitution access ....................................................78 Merit ................................................110, 113, 118
Index ! 145
SDX 6.0.x Integration Guide
RAD ................................................. 128, 136, 137 files (SPE) ............................................................89, 90
RADIUS accounting ......................................... 141, 144 permissions ...............................................................68
Attributes section, customizing authentication file (SPE). 103 procedure (SPE)...................................................90, 91
attributeTypes directory.................................................... 24 user class...................................................................68
audience for documentation.............................................. xi configuration directory
authentication Merit................................................................113, 116
credentials (SPE) ..................................................... 104 RAD.........................................................................124
log file, customizing (SPE) ....................................... 103 configuration group, JUNOS routing platforms ................7, 9
authentication/authorization transfer vectors (AATVs) content
Merit ....................................................................... 110 rules ..........................................................................33
RAD ........................................................................ 125 rules table..................................................................34
authfile file contentRules.....................................................................20
Merit ....................................................................... 116 conventions defined
RAD ........................................................................ 131 icons.......................................................................... xii
text............................................................................ xii
B COPS-PR (Common Open Policy Server Usage for Policy
backing up Provisioning)
DirXserver................................................................. 64 connection with JUNOSe routers .................................3
OpenLDAP directory server....................................... 63 credentials
Sun ONE database..................................................... 65 authentication (SPE) ................................................104
system ...................................................................... 63 bind to LDAP server (SPE) .........................................97
Base variable (SPE) ........................................................... 98 LDAP authentication (SPE).........................................95
BEEP, JUNOS routing platforms crontab file .................................................................53, 58
connecting .................................................................. 7 customer support............................................................. xiv
binary directory (RAD).................................................... 124
binary files (Sun) .............................................................. 39 D
Bind data directory (RAD) .......................................................124
LDAP authentication (SPE) ........................................ 95 data integrators
request (SPE)..................................................... 95, 100 adding VPNs..............................................................59
binding configuring ................................................................53
access control............................................................ 69 deactivating invalid subscriptions to VPNs.................61
BindName description ................................................................49
LDAP authentication (SPE) ........................................ 95 developing.................................................................52
LDAP server (SPE) ..................................................... 97 executing...................................................................58
SDX application (SPE)................................................ 98 for adding VPNs ........................................................59
user password attribute (SPE).................................... 98 getting help ...............................................................51
BindPassword logging properties......................................................53
LDAP authentication (SPE) ........................................ 96 order of processors....................................................58
LDAP server (SPE) ..................................................... 97 planning ....................................................................52
Bootstrap section, LDAP authentication (SPE)................... 95 processors
Broadband Remote Access Service (B-RAS)..................... 141 Database Reader ................................................54
browser requirements (SPE) ............................................. 88 description .........................................................50
Enterprise Audit File Reader...............................56
C LDAP Reader......................................................55
cachedAuthentication and access controls ........................ 70 LDAP Writer.......................................................58
CDs suite, installing ...................................................52
SDX application library CD....................................... xiii XML File Reader.................................................56
SDX documentation CD ........................................... xiii XML File Writer ..................................................57
SDX software CD...................................................... xiv database
Class............................................................................... 142 archiving DirX ...........................................................64
Merit ....................................................................... 118 archiving Sun ONE ....................................................65
RAD ........................................................................ 137 files
SPE ......................................................................... 103 installation (SPE) ................................................89
community table, configuring SNMP................................... 4 previous installations (SPE) ................................90
configuration integrating data into directory ...................................50
access directories ...................................................... 68 JDBC drivers ..............................................................52
access directory entries ............................................. 67 loading sample
DirX directory server................................................. 46 DirX ...................................................................43
enable LDAP host (SPE)............................................. 90 Sun.....................................................................37
146 ! Index
Index
settings E
DirX ...................................................................42 EASP audit plug-in
Sun.....................................................................37 logs............................................................................50
Database Reader...............................................................54 enterprise administrator ...................................................76
deleting Enterprise Audit File Reader..............................................56
operators ...................................................................83 /etc/services file (Merit) ...................................................111
dictionary files with JUNOSe parameters Event-Time .....................................................................142
Merit........................................................................113 external database (SPE) ....................................................95
RAD.........................................................................128
SPE............................................................................92
directed accounting (SPE) ...............................................103
F
files
directed authentication (SPE)..................................101, 102 LDAP schema ............................................................20
directory flat file accounting ..........................................................144
adding Framed-Ip-Address..........................................................142
JUNOS routing platform .......................................9
JUNOSe routers ....................................................5
reading data from......................................................50 G
schema......................................................................19 generate.sh script (DirX) .............................................42, 46
transferring data........................................................49 getting help, data integration ............................................51
Directory Information Tree. See DIT global parameter objects and access control scheme ........76
directory server
standards (DirX) ........................................................41 H
starting/stopping hard-disk space requirements
DirX ...................................................................47 Merit........................................................................110
Sun.....................................................................40 RAD.........................................................................124
directory tree structure. See DirX SPE............................................................................88
DirX Host values (SPE) ..............................................................97
access control scheme...............................................79
backing up server ......................................................64 I
dirx user environment...............................................47 icons defined, notice.........................................................xii
restoring directory database ......................................65 Idle-Timeout ...................................................118, 137, 142
DirX add-on package index configuration (Sun)..................................................37
configuration .............................................................46 initialize.cp flat file (DirX)..................................................42
installation (DirX) ......................................................45 install.sh script (SPE)...................................................88, 91
product description ...................................................42 installation
DirX directory server directory server software (DirX).................................44
installation.................................................................44 procedure (Merit).....................................................110
starting/stopping........................................................47 scripts (SPE).........................................................89, 90
uninstalling................................................................46 software CD (SPE)......................................................88
DirX Solutions installing software
product description ...................................................41 DirX...........................................................................43
software, obtaining....................................................43 Merit........................................................................110
dirxadm (DirX) .................................................................42 RAD.........................................................................124
dirxcp, DirX client ............................................................42 SPE............................................................................88
DIT (Directory Information Tree).......................................21 installing the system software .......................................... xiii
content rules .............................................................33 integrating data into directory...........................................50
structure rules ...........................................................24 integration tasks
DixXmetahub ...................................................................41 JUNOS routing platform...............................................8
dlm1ManagedElement......................................................20 JUNOSe routers............................................................3
Document Object Model. See DOM Interim requests..............................................................142
document type definitions. See DTDs invalid subscriptions to VPNs ............................................61
documentation set, obtaining .......................................... xiv iPlanet Directory Server ....................................................35
documentation set, SDX
CD ............................................................................ xiii
comments ................................................................ xiv J
Java Database Connectivity. See JDBC
DOM (Document Object Model)........................................54
JDBC (Java Database Connectivity) drivers ........................52
downloading Sun ONE software........................................38
Juniper Networks dictionary files
DTDs (document type definitions)
Merit........................................................................113
data integrators .........................................................50
RAD.........................................................................129
Index ! 147
SDX 6.0.x Integration Guide
SPE ........................................................................... 92 Request section (SPE) ..............................................100
Juniper Networks Professional Services ............................ 51 Response section (SPE)............................................100
JUNOS routing platform Search/name section (SPE) ........................................97
adding to directory...................................................... 9 Server section (SPE)...................................................96
configuration groups ............................................... 7, 9 server/serverName section (SPE) ...............................97
configuring SAE properties .......................................... 8 Settings section (SPE) ................................................95
configuring to interact with SAE .................................. 8 LDAP configuration
disabling interactions with SAE ................................. 10 interface (SPE).........................................................103
enabling interactions with SAE.................................. 10 RAD.........................................................................136
integration tasks.......................................................... 8 LDAP database (SPE) ......................................................100
logging ...................................................................... 11 LDAP directory................................................................141
monitoring interactions instance (Sun)............................................................36
SAE .................................................................... 10 Merit................................................................110, 116
SDX software process.................................................. 7 SPE..........................................................................102
statements for integration LDAP features
port-number......................................................... 9 Merit........................................................................110
server-address...................................................... 8 RAD.........................................................................125
source-address ..................................................... 9 LDAP host (SPE)................................................................90
troubleshooting ......................................................... 11 LDAP libraries, (SPE) .........................................................91
JUNOSe RADIUS client LDAP Reader ....................................................................55
Merit ....................................................................... 119 LDAP server
RAD ........................................................................ 137 Merit........................................................................112
JUNOSe routers SPE......................................................................92, 95
adding to directory...................................................... 5 LDAP Writer......................................................................58
configuring ldapauth.aut file (SPE).......................................................95
SAE client............................................................. 4 ldapmodify tool
SAE to manage..................................................... 4 DirX...........................................................................43
SNMP server ........................................................ 4 Sun............................................................................37
integration overview ................................................... 3 LDIF file
integration tasks.......................................................... 3 access.ldif..................................................................37
logging ........................................................................ 6 schema extension (Sun) ............................................36
monitoring interactions with SAE................................ 6 SDX skeleton
SDX client ................................................................... 3 DirX ...................................................................43
starting................................................................. 5 Sun.....................................................................37
stopping............................................................... 5 license string (SPE) .....................................................88, 90
SDX releases supporting.............................................. 3 license strings, where stored.............................................23
troubleshooting ........................................................... 6 Lightweight Data Interchange Format (LDIF) (Merit) .......118
load balancing (SPE) .........................................................96
L load script (Sun)................................................................40
LDAP lock subtree and access control scheme ...........................73
access control scheme............................................... 80 log.txt log file (DirX) .........................................................46
index of schema attributes ........................................ 20 logging
mapping object model .............................................. 19 on JUNOS routing platform........................................11
overview ................................................................... 19 on JUNOSe routers ......................................................6
schema properties
files .................................................................... 20 data integrators ..................................................53
LDAP authentication logging subscriber sessions.............................................141
AATV LogLevel (SPE) ..................................................................96
Merit ................................................................ 110 logs, EASP audit plug-in ....................................................50
RAD ................................................................. 125 Lost-Carrier.....................................................................142
Attribute/name section (SPE)..................................... 98
Bind (SPE) ................................................................. 95 M
bind credentials (SPE) ............................................... 95 manuals, SDX
BindName (SPE) ........................................................ 95 comments ................................................................ xiv
Bootstrap section (SPE) ............................................. 95 on CD ....................................................................... xiii
configuring Merit server
Merit ................................................................ 115 command syntax ............................................112, 121
SPE .................................................................... 94 testing .....................................................................121
file, sections (SPE) ..................................................... 95 Multi-Session-Id ..............................................................142
148 ! Index
Index
mutex group PasswordFormat (SPE) ......................................................96
access control scheme...............................................75 PCIM (Policy Core Information Model) ..............................23
permissions in access control lists ....................................68
N personNameForm .............................................................24
name forms in structure rules...........................................34 pkgadd tool (DirX).......................................................44, 45
nameForms directory .......................................................20 planning
NAS-Port-ID ....................................................................142 data integration .........................................................52
Netscape/iPlanet Directory Server, access control .............81 policy groups
network and access control scheme .................................74 objects .......................................................................23
network device objects .....................................................23 policy information model..................................................23
notice icons defined ......................................................... xii policy objects
access control ............................................................76
policy subtree and access control scheme.........................72
O port-number statement.......................................................9
object classes....................................................................20
ports
dlm1ManagedElement ..............................................20
UDP
tables.........................................................................21
Merit ................................................................111
umcVirtualRouter ......................................................23
RAD..................................................................126
objectClass........................................................................20
SPE.....................................................................92
objectClasses directory .....................................................20
processors for data integration..........................................50
objects
profile, subscription profile objects ...................................22
attribute types ...........................................................20
ProLDAP AATV
classes .......................................................................20
LDAP directory (Merit) .............................................111
contentRules .............................................................20
Merit........................................................................110
contentRules directory ..............................................20
RAD.........................................................126, 131, 132
folders and subtrees ..................................................21
server configuration (Merit) .....................................116
mapping object model to LDAP .................................19
ProLDAP process (Merit) .................................................110
nameForms ...............................................................20
properties
network device..........................................................23
processors in data integrators....................................53
policy group ..............................................................23
property files
service template ........................................................22
data integrators .........................................................53
structureRules ...........................................................20
subscriber objects......................................................21
subscription profile....................................................22 R
OpenLDAP directory server RADIUS
backing up.................................................................63 accounting
restoring....................................................................64 description .......................................................141
operating system requirements flat file attributes ..............................................144
Merit........................................................................110 Merit ................................................................111
RAD.........................................................................124 server ...............................................................141
SPE............................................................................88 first-time installations (SPE) .......................................88
operator groups previous installations (SPE)........................................89
assigning operators ...................................................83 profiles and access control scheme............................71
operators RADIUS attributes ...........................................................141
activating access........................................................77 dictionary files
assigning to groups....................................................83 Merit ................................................................113
deleting .....................................................................83 RAD..................................................................128
order, processes in data integrators...................................58 SPE.....................................................................92
organizationalNameForm..................................................24 incoming from Access-Request (SPE).......................100
organizationalUnitNameForm ...........................................25 values, Merit ............................................................118
outsourced services RADIUS authentication
retailer ISP, strategy (SPE) .........................................98 Merit........................................................................111
RAD.........................................................................131
SPE............................................................................94
P RADIUS authorization, description..................................141
parameters
RADIUS client
substitutions ..............................................................22
configuration
subtree and access control scheme ...........................72
Merit ................................................................120
password storage scheme (Sun) ........................................36
RAD..................................................................139
password, authentication credentials (SPE).....................104
SPE...................................................................104
PasswordCase (SPE)..........................................................96
Index ! 149
SDX 6.0.x Integration Guide
UDP ports retailers
Merit ................................................................ 111 access control............................................................74
RAD ................................................................. 126 round-robin method
SPE .................................................................... 91 Merit........................................................................116
vendor SPE............................................................................96
Merit ................................................................ 120 routers
RAD ................................................................. 138 integrating JUNOSe......................................................3
RADIUS daemon .............................................................. 88
Merit ....................................................................... 112 S
SPE ..................................................................... 89, 92 SAE (service activation engine)
RADIUS profiles configuring
configuring (Merit)................................................... 118 SNMP for JUNOSe routers ....................................5
directory ................................................................. 141 disabling interactions with JUNOS routing platform...10
Merit ....................................................................... 118 enabling interactions with JUNOS routing platform ...10
RAD ........................................................................ 136 JUNOS routing platform client .....................................8
RADIUS protocol, transaction-based (SPE) ........................ 91 JUNOSe client ..............................................................4
RADIUS server monitoring interactions
configuring JUNOS routing platform .....................................10
Merit ................................................................ 120 monitoring interactions with JUNOSe routers ..............6
RAD ................................................................. 138 starting
SPE .................................................................. 103 SDX client on JUNOSe router................................5
functions ................................................................. 141 stopping
starting/stopping SDX client on JUNOSe router................................5
Merit ................................................................ 112 SAE software...................................................................141
RAD ................................................................. 126 flat file accounting ...................................................144
SPE .................................................................... 92 RADIUS Stop requests .............................................143
testing installation (RAD)......................................... 140 Stop record..............................................................143
RADIUS shared secret sample data integrators ....................................................59
Merit ....................................................................... 120 schema
RAD ................................................................ 138, 139 file
radius.ini file (SPE)............................................................ 92 99umcschema.ldif (Sun).....................................36
RAD-Series RADIUS Server schema.adm (DirX) ............................................42
installation .............................................................. 124 requirements
syntax description................................................... 140 DirX ...................................................................42
testing ..................................................................... 140 Sun.....................................................................36
RAD-Series Server Manager ............................................ 126 scripts
RAM requirements generate (DirX)..........................................................42
Merit ....................................................................... 110 install.sh (SPE)...........................................................89
RAD ........................................................................ 124 loading (Sun) .............................................................37
SPE ........................................................................... 88 sample database (DirX) .............................................43
RAS client, configuring (SPE) .......................................... 106 vpndatamgt ...............................................................53
RDN (relative distinguished name).................................... 21 SDX
realm directory schema.......................................................19
administration (RAD)............................................... 135 SDX client, JUNOSe routers
configuration file (SPE) ............................................ 102 configuring ..................................................................3
syntax (Merit) .......................................................... 116 starting ........................................................................5
realm name stopping ......................................................................5
authentication (RAD) ............................................... 131 SDX documentation set
description (RAD) .................................................... 132 CD ............................................................................ xiii
directed authentication (SPE) .................................. 101 comments ................................................................ xiv
release notes ................................................................... xiv SDX RADIUS client (Merit) ..............................................119
Request section, LDAP authentication (SPE) ................... 100 SDX skeleton (Sun) ...........................................................37
Response section, LDAP authentication (SPE)................. 100 SDX software process
restoring disabling....................................................................10
DirX directory database............................................. 65 JUNOS routing platform...............................................7
OpenLDAP directory server....................................... 64 reenabling .................................................................10
Sun ONE database..................................................... 65 sdxSchemaIndex ..............................................................20
retailer ISP Search requests (SPE) ...............................................95, 100
directed authentication............................................ 101 Search/name section, LDAP authentication (SPE)..............97
realm name (SPE).................................................... 101
150 ! Index
Index
Server Manager Sun ONE Directory Server
password (RAD).......................................................125 add-on package ...................................................36–37
user (RAD) ...............................................................125 product description....................................................35
Server section, LDAP authentication (SPE) ........................96 silent installation feature............................................36
Server/name, LDAP authentication (SPE) ..........................96 software, obtaining....................................................38
server/serverName section, LDAP authentication (SPE).....97 superuser environment (DirX)...........................................48
server-address statement ....................................................8 swmtool, starting (Sun) .....................................................38
service objects, access control ..........................................76 system backup............................................................63–66
service providers system management
access control............................................................74 access control scheme ...............................................73
Session-Timeout .............................................................142 sending traps.............................................................23
Merit........................................................................118 system requirements
RAD.........................................................................137 Merit........................................................................110
Settings section, LDAP authentication (SPE)......................95 RAD.........................................................................124
setup script (Sun) ..............................................................36 SPE............................................................................88
shared secret (RAD) ........................................................125
silent installation file (Sun)................................................36 T
SNMP TargetNumber (SPE) ..........................................................96
configuring templates, service template objects ..................................22
community table ..................................................4 Terminate-Cause .............................................................142
configuring server test script (Merit).............................................................121
JUNOSe router......................................................4 test user password (RAD) ................................................125
SDX Admin configuration............................................5 text conventions defined...................................................xii
software Tomcat installation (RAD) ...............................................124
CD installation (SPE)..................................................88 transaction-based RADIUS protocol
software, installing ........................................................... xiii Merit........................................................................111
source-address statement ...................................................9 RAD.........................................................................126
SQL queries ......................................................................52 SPE............................................................................91
sspServiceProfile and access control scheme ....................70 transferring
Steel-Belted Radius/SPE, software requirements ...............88 data to directory ........................................................49
Stop requests ..................................................................142 traps
structure rules...................................................................20 configuring where to send traps ................................23
DIT ............................................................................24 troubleshooting
management, servers, and operator subtrees example . JUNOS routing platform.............................................11
32 JUNOSe routers............................................................6
name forms...............................................................34
policies, parameters, and cache profile subtrees
example.................................................................30 U
UDP ports
services, scopes, and network subtrees example.......28
changing default
Sr1, organizationalNameForm...................................24
Merit ................................................................111
Sr2, personNameForm ..............................................24
RAD..........................................................126, 128
Sr3, organizationalNameForm...................................24
Merit........................................................................111
Sr4, organizationalUnitNameForm ............................25
RAD.................................................................126, 139
Sr5,umcUserNameForm ............................................25
RADIUS client
Sr6, umcRetailerNameForm ......................................25
Merit ................................................................120
subscriber subtree example.......................................26
SPE...................................................................104
workflow and locked objects subtrees example.........31
SPE......................................................................91, 92
subscribers
uid-uniqueness plug-in (Sun) .............................................36
access control scheme...............................................74
UmcConfiguration and access controls .............................70
objects.......................................................................21
UMCdirxa add-on package (DirX)
subscriptions
access control ............................................................42
activating access for operators ..................................77
features .....................................................................42
profile objects............................................................22
installing....................................................................45
substitutions
schema requirements ................................................42
access........................................................................78
UMCiDSa add-on package (Sun) ............................36, 37, 38
parameters in SDX ....................................................22
UMCradius (Sun) ...............................................................36
Sun ONE database
umcRadius Person and access control scheme..................71
backing up.................................................................65
umcRetailerNameForm .....................................................25
restoring....................................................................65
umcUser and access control scheme ................................71
Index ! 151
SDX 6.0.x Integration Guide
umcUserNameForm ......................................................... 25
umcVirtualRouter ............................................................. 23
Unisphere VSA, updating (RAD) ...................................... 129
UNIX password checking (Merit)..................................... 110
updating the system software.......................................... xiii
UpperCaseName (SPE) ..................................................... 96
user class in access control lists ........................................ 68
user password, specifying (Merit) ................................... 121
user subtree and access control scheme ........................... 76
User-Id............................................................................ 142
username, authentication credentials (SPE) .................... 104
User-Request .................................................................. 142
V
variables.tcl file (DirX) ...................................................... 42
vendor files
Merit ....................................................................... 115
RAD ........................................................................ 131
SPE ........................................................................... 91
vendor-specific attributes
Merit ....................................................................... 115
RAD ........................................................................ 131
VPN Subscription Deactivator ........................................... 61
vpndatamgt script ............................................................ 53
VPNs (virtual private networks)
adding
data integrator ................................................... 59
W
workflow elements, storing in UMC directory ................... 23
workflow subtree and access control scheme ................... 75
X
XML documents ............................................................... 50
XML File Reader ............................................................... 56
XML File Writer ................................................................ 57
XSLT files .......................................................................... 52
XSLT transformers ............................................................ 50
152 ! Index