Junos OS Release 12.1X47 Feature Guide

Transcription

1 Junos OS Release 12.1X47 Feature Guide Junos OS Release 12.1X47-D15 19 November 2014 Revision 1 This feature guide accompanies Junos OS Release 12.1X47-D15. This guide contains detailed information about new or enhanced functionality introduced in Junos OS Release 12.1X47-D15 that is summarized in the Release Notes. Contents New Features in Junos OS Release 12.1X47-D Application Identification and Tracking Customizing Application Groups for Junos OS Application Identification SSL Proxy Authentication, Authorization, and Accounting (AAA) (RADIUS) Configuring RADIUS Server Authentication Configuring RADIUS System Accounting destination (Accounting) radius-options radius-server Chassis Cluster Encrypted Control Link Flow-Based and Packet-Based Processing Data Path Debugging for SRX Series Devices Interfaces and Chassis Next-Generation Switch Control Board II (SRX5K-SCBE) and Routing Engine (SRX5K-RE-1800X4) for SRX5400, SRX5600, and SRX5800 Devices IPv Establishing an Outbound SSH Connection Network Address Translation (NAT) Understanding Source NAT Pools Understanding NAT64 IPv6 Prefix to IPv4 Address-Persistent Translation [edit security nat] Hierarchy Level source (Security Source NAT) pool (Security Source NAT)

2 Junos OS Release 12.1X47 Feature Guide address-persistent (Security Source NAT Pool) Example: Configuring Address Persistent NAT64 Pools show security nat source pool Management Network Management and Monitoring TCP/TLS Support for Real-Time Logging System Log Messages Documentation Feedback Requesting Technical Support Self-Help Online Tools and Resources Opening a Case with JTAC Revision History

3 Application Identification and Tracking New Features in Junos OS Release 12.1X47-D15 Junos OS Release 12.1X47-D15 introduces the following features: Application Identification and Tracking on page 3 Authentication, Authorization, and Accounting (AAA) (RADIUS) on page 14 Chassis Cluster on page 24 Flow-Based and Packet-Based Processing on page 49 Interfaces and Chassis on page 54 IPv6 on page 94 Network Address Translation (NAT) on page 97 Management on page 116 Application Identification and Tracking Customizing Application Groups for Junos OS Application Identification on page 3 SSL Proxy on page 8 Customizing Application Groups for Junos OS Application Identification Customizing Application Groups for Junos OS Application Identification on page 3 Enabling Application Groups in Junos OS Application Identification on page 4 Example: Configuring a Custom Application Group for Junos OS Application Identification for Simplified Management on page 4 application-group (Services) on page 8 Customizing Application Groups for Junos OS Application Identification The hierarchy of application groups resembles a tree structure with associated applications as the leaf nodes. The group any refers to the root node. The group unassigned is always situated one level from the root and initially contains all applications. When a group is defined, applications are assigned from the unassigned group to the new group. When a group is deleted, its applications are moved back to the unassigned group. All predefined application groups have the prefix junos in the application group name to prevent naming conflicts with custom application groups. You cannot modify the list of applications within a predefined application group. However, you can copy a predefined application group to use it as a template for creating a custom application group. To customize a predefined application group, you must first disable the predefined group. Note that a disabled predefined application group remains disabled after an application database update. You can then use the operational command request services application-identification group to copy the disabled predefined application group. The copied group is placed in the configuration file, and the prefix junos is changed to my. At this point, you can modify the list of applications in my application group and rename the group with a unique name. 3

4 Junos OS Release 12.1X47 Feature Guide To reassign an application from one custom group to another, you must remove the application from its current custom application group, and then reassign it to the other. Enabling Application Groups in Junos OS Application Identification All application groups are enabled by default. Predefined application groups are enabled at installation. For predefined application groups, you can disable and reenable a group using the request services application-identification group command. You cannot delete a predefined signature or signature group. To disable a predefined application group: user@host> request services application-identification group disable predefined-application-group-name To reenable a disabled predefined application group: user@host> request services application-identification group enable predefined-application-group-name Example: Configuring a Custom Application Group for Junos OS Application Identification for Simplified Management This example shows how to configure custom application groups for Junos OS application identification for consistent reuse when defining policies. Requirements on page 4 Overview on page 4 Configuration on page 5 Requirements Before you begin, install an entire signature database from an IDP or an application identification security package. Overview In this example, you define applications for an application group, delete an application from an application group, and include an application group within another application group. In Junos OS, application identification allows you to group applications in policies. Applications can be grouped under predefined and custom application groups. The entire predefined application group can be downloaded as part of the IDP or application identification security package. You can create custom application groups with a set of similar applications for consistent reuse when defining policies. 4

5 Configuration NOTE: You cannot modify the applications defined in a predefined application group. However, you can copy a predefined application group using the operational command request services application-identification group group-name copy to create a custom application group and modify the list of applications. For more information, see request services application-identification group. Configuration Configuring Junos OS Application Identification User-Defined Application Groups on page 5 Deleting an Application from a User-Defined Application Group on page 6 Creating Child Application Groups for an Application Group on page 7 Configuring Junos OS Application Identification User-Defined Application Groups CLI Quick Configuration To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. set services application-identification application-group my_web set services application-identification application-group my_web applications junos:http set services application-identification application-group my_web applications junos:ftp set services application-identification application-group my_web applications junos:gopher set services application-identification application-group my_web applications junos:amazon set services application-identification application-group my_peer set services application-identification application-group my_peer applications junos:bittorrent set services application-identification application-group my_peer applications junos:bittorrent-dht set services application-identification application-group my_peer applications junos:bittorrent-udp set services application-identification application-group my_peer applications junos:bittracker Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide. To configure a custom application group for application identification: 1. Set the name of your custom application group. [edit services application-identification] user@host# set application-group my_web 2. Add the list of applications that you want to include in your custom application group. [edit services application-identification] 5

6 Junos OS Release 12.1X47 Feature Guide set application-group my_web applications junos:http set application-group my_web applications junos:ftp set application-group my_web applications junos:gopher set application-group my_web applications junos:amazon 3. Set the name of a second custom application group. [edit services application-identification] user@host# set application-group my_peer 4. Add the list of applications that you want to include in the group. [edit services application-identification] user@host# set application-group my_peer applications junos:bittorrent user@host# set application-group my_peer applications junos:bittorrent-dht user@host# set application-group my_peer applications junos:bittorrent-udp user@host# set application-group my_peer applications junos:bittracker Results From configuration mode, confirm your configuration by entering the show services application-identification group command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@host# show services application-identification application-group my_web applications { junos:http; junos:ftp; junos:gopher; junos:amazon user@host# show services application-identification application-group my_peer applications { junos:bittorrent; junos:bittorrent-dht; junos:bittorrent-udp; junos:bittracker; If you are done configuring the device, enter commit from configuration mode. Deleting an Application from a User-Defined Application Group CLI Quick Configuration To quickly configure this section of the example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. [edit] delete services application-identification application-group my_web applications junos:amazon Step-by-Step Procedure To delete an application from a custom application group: [edit services application-identification] user@host# delete application-group my_web applications junos:amazon 6

7 Creating Child Application Groups for an Application Group Results From configuration mode, confirm your configuration by entering the show services application-identification application group detail command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] show services application-identification group detail application group my_web { junos:http; junos:ftp; junos:gopher; If you are done configuring the device, enter commit from configuration mode. Creating Child Application Groups for an Application Group CLI Quick Configuration To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. set services application-identification application-group p2p set services application-identification application-group p2p application-groups my_web set services application-identification application-group p2p application-groups my_peer Step-by-Step Procedure To configure child application groups for a custom application group: 1. Set the name of the custom application group in which you are configuring the child application groups. [edit services application-identification] user@host# set application-group p2p 2. Add the child application groups. [edit services application-identification] user@host# set application-group p2p application-groups my_web uer@host# set application-group p2p application-groups my_peer Results From configuration mode, confirm your configuration by entering the show services application-identification application-group application-group-name command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. [edit] user@host# show services application-identification application-group p2p applications-groups { my_web; my_peer; If you are done configuring the device, enter commit from configuration mode. 7

8 Junos OS Release 12.1X47 Feature Guide application-group (Services) Syntax application-group group-name { application-groups application-group-name; applications application-name; Hierarchy Level [edit services application-identification] Release Information Statement introduced in Junos OS Release Description Specify any number of associated predefined applications, user-defined applications, and other groups for ease of use in configuring application-based policies. An application group is hierarchical: a tree structure of groups with applications as the leaf nodes. Options group-name Name of the group. This name is used in policy configuration statements in place of multiple predefined applications, user-defined applications, or other groups. application-groups application-group-name Name of an application group to be assigned to this group. There is no maximum number of groups that can be assigned to a group. Use multiple commands to assign multiple groups. applications application-name Name of an application to be assigned to this group. An application can remain unassigned or be assigned to a group, but it cannot be assigned to more than one group. There is no maximum number of applications that can be assigned to a group. Use multiple commands to assign multiple groups. Required Privilege Level security To view this statement in the configuration. security-control To add this statement to the configuration. SSL Proxy show services application-identification counter (AppSecure) show services application-identification application-system-cache (View) clear services application-identification counter (Values) 8

9 show services application-identification counter (AppSecure) show services application-identification counter (AppSecure) Syntax show services application-identification counter <ssl-encrypted-sessions> Release Information Description Command introduced in Junos OS Release Output updated in Junos OS Release 12.1X47-D10. Command and output updated in Junos OS Release 12.1X47-D15. Display the status of all Junos OS application identification counter values per SPU. Options ssl-encrypted-sessions Display counters for SSL encrypted sessions. Required Privilege Level Related Documentation view Application Identification Feature Guide for Security Devices clear services application-identification counter (Values) List of Sample Output show services application-identification counter on page 10 show services application-identification counter ssl-encrypted-sessions on page 11 Output Fields Table 1 on page 9 lists the output fields for the show services application-identification counter command. Output fields are listed in an approximate order in which they appear. Table 1: show services application-identification counter Output Fields Field Name Field Description PIC PIC number of the accumulated statistics. NOTE: The PIC number is always displayed as 0 for branch SRX Series devices. Unknown applications Number of unknown applications. Encrypted unknown applications Number of encrypted unknown applications. Cache hits Number of sessions that matched the application in the AI cache. Cache misses Number of sessions that did not find the application in the AI cache. Client-to-server packets processed Number of client-to-server packets processed. Server-to-client packets processed Number of server-to-client packets processed. Client-to-server bytes processed Number of client-to-server payload bytes processed. Server-to-client layer bytes processed Number of server-to-client payload bytes processed. Client-to-server packets processed Number of client-to-server packets processed. 9

10 Junos OS Release 12.1X47 Feature Guide Table 1: show services application-identification counter Output Fields (continued) Field Name Field Description Server-to-client packets processed Number of server-to-client packets processed. Client-to-server bytes processed Number of client-to-server payload bytes processed. Server-to-client layer bytes processed Number of server-to-client payload bytes processed. Client-to-server encrypted packets processed Number of client-to-server encrypted packets processed. Server-to-client encrypted packets processed Number of server-to-client encrypted packets processed. Client-to-server encrypted bytes processed Number of client-to-server encrypted payload bytes processed. Server-to-client layer encrypted bytes processed Number of server-to-client encrypted payload bytes processed. Sessions bypassed due to resource allocation failure Number of sessions bypassed due to resource allocation failure. Segment case 1 - New segment to left TCP segments contained before the previous segment. Segment case 2 - New segment overlap right TCP segments that start before the previous segment and are contained in it. Segment case 3 - Old segment overlapped TCP segments that start before the previous segment and extend beyond it. Segment case 4 - New segment overlapped TCP segments that start and end within the previous segment. Segment case 5 - New segment overlap left TCP segments that start within the previous segments and extend beyond it. Segment case 6 - New segment overlap left TCP segments that start after the previous segment. This is the normal case. Sample Output show services application-identification counter user@host> show services application-identification counter pic: 6/0 Counter type Value Unknown applications 5 Encrpted unknown applications 0 Cache hits 0 10

11 show services application-identification counter (AppSecure) Cache misses 8 Client-to-server packets processed 678 Server-to-client packets processed 0 Client-to-server bytes processed Server-to-client bytes processed 0 Client-to-server encrypted packets processed 0 Server-to-client encrypted packets processed 0 Client-to-server encrypted bytes processed 0 Server-to-client encrypted bytes processed 0 Sessions bypassed due to resource allocation failure 0 Segment case 1 - New segment to left 0 Segment case 2 - New segment overlap right 0 Segment case 3 - Old segment overlapped 0 Segment case 4 - New segment overlapped 0 Segment case 5 - New segment overlap left 0 Segment case 6 - New segment to right 0 Sample Output show services application-identification counter ssl-encrypted-sessions user@host> show services application-identification counter ssl-encrypted-sessions pic: 1/0 Counter type Value AI cache hits 0 AI cache hits by nested application 0 AI cache misses 0 AI matches 0 AI uni-matches 0 AI no-matches 0 AI partial matches 0 AI no-partial matches 0 Sessions that triggered Appid create session API 0 Sessions that do not incur signature match or decoding 0 Sessions that incur signature match or decoding 0 Client-to-server packets processed 0 Server-to-client packets processed 0 Client-to-server layer-7 bytes processed 0 Server-to-client layer-7 bytes processed 0 Terminal first data packets on both direction 0 pic: 1/1 Counter type Value AI cache hits 0 AI cache hits by nested application 0 AI cache misses 0 AI matches 0 AI uni-matches 0 AI no-matches 0 AI partial matches 0 AI no-partial matches 0 Sessions that triggered Appid create session API 0 Sessions that do not incur signature match or decoding 0 Sessions that incur signature match or decoding 0 Client-to-server packets processed 0 Server-to-client packets processed 0 Client-to-server layer-7 bytes processed 0 Server-to-client layer-7 bytes processed 0 Terminal first data packets on both direction 0 11

12 Junos OS Release 12.1X47 Feature Guide show services application-identification application-system-cache (View) Syntax show services application-identification application-system-cache Release Information Description Command introduced in Junos OS Release Command updated in Junos OS Release 12.1X47-D10. Output updated in Junos OS Release 12.1X47-D15. Display application ID from default port/protocol binding or from the application system cache. Required Privilege Level Related Documentation view Application Identification Feature Guide for Security Devices clear services application-identification application-system-cache (Junos OS) List of Sample Output show services application-identification application-system-cache on page 13 Output Fields Table 2 on page 12 lists the output fields for the show services application-identification application-system-cache command. Output fields are listed in the approximate order in which they appear. Table 2: show services application-identification application-system-cache Output Fields Field Name Field Description application-cache On or Off status of the application cache. nested-application-cache On or Off status of the nested application cache. cache-unknown-result On or Off status for caching unknown results. cache-entry-timeout The number of seconds the mapping information is saved. pic PIC number of the accumulated statistics. NOTE: The PIC number is always displayed as 0 for branch SRX Series devices. Logical system name Name of a specific logical system. IP address IP address. Port Port number. Protocol Type of protocol. Application Name of the application. Encrypted Yes or No to identify the traffic as encrypted or not. 12

13 show services application-identification application-system-cache (View) Sample Output show services application-identification application-system-cache show services application-identification application-system-cache Application System Cache Configurations: application-cache: on nested-application-cache: on cache-unknown-result: on cache-entry-timeout: 3600 seconds pic: 1/0 Logical system name: root-logical-system IP address: Port: 443 Protocol: TCP Application: SSL Encrypted: Yes pic: 1/1 Logical system name: root-logical-system IP address: Port: 80 Protocol: TCP Application: HTTP Encrypted: No 13

14 Junos OS Release 12.1X47 Feature Guide clear services application-identification counter (Values) Syntax clear services application-identification counter <ssl-encrypted-sessions> Release Information Description Command introduced in Junos OS Release Command updated in Junos OS Release 12.1-X47-D15. Reset all the Junos OS application identification counter values. Options ssl-encrypted-sessions Reset application identification counter values for SSL encrypted sessions. Required Privilege Level Related Documentation clear Application Identification Feature Guide for Security Devices show services application-identification counter (AppSecure) List of Sample Output clear services application-identification counter on page 14 Output Fields When you enter this command, you are provided feedback on the status of your request. Sample Output clear services application-identification counter clear services application-identification counter clear_counter_class: counters cleared, status = 0 Authentication, Authorization, and Accounting (AAA) (RADIUS) Configuring RADIUS Server Authentication on page 14 Configuring RADIUS System Accounting on page 18 destination (Accounting) on page 21 radius-options on page 22 radius-server on page 23 Configuring RADIUS Server Authentication RADIUS authentication is a method of authenticating users who attempt to access the router or switch. The Junos OS supports two protocols for central authentication of users on multiple routers: RADIUS and TACACS+. We recommend RADIUS because it is a multivendor IETF standard, and its features are more widely accepted than those of TACACS+ or other proprietary systems. In addition, we recommend using a one-time-password system for increased security, and that all vendors of these systems support RADIUS. 14

15 Configuring RADIUS Server Authentication You should use RADIUS when your priorities are interoperability and performance: Interoperability RADIUS is more interoperable than TACACS+, primarily because of the proprietary nature of TACACS+. While TACACS+ supports more protocols, RADIUS is universally supported. Performance RADIUS is much lighter on your routers and switches and for this reason, network engineers generally prefer RADIUS over TACACS+. To use RADIUS authentication on the device, configure information about one or more RADIUS servers on the network by including one radius-server statement at the [edit system] hierarchy level for each RADIUS server. Because remote authentication is configured on multiple devices, it is commonly configured inside of a configuration group. As such, the steps shown here are in a configuration group called global. Using a configuration group is optional. To configure authentication by a RADIUS server: 1. Add an IPv4 or IPv6 server address. Configure an IPv4 source address and server address: [edit groups global] user@host# set system radius-server server-address source-address source-address For example: [edit groups global] user@host# set system radius-server source-address Configure an IPv6 source address and server address: [edit groups global system radius-server server-address] user@host# set server-address secret secretkey source-address source-address For example: [edit groups global system radius-server :: ] user@host# set secret $9$lPOv87ZGiH.5JGn/AtOB7-dVgo source-address :: The source address is a valid IPv4 or IPv6 address configured on one of the router or switch interfaces. This configuration sets a fixed address as the source address for locally generated IP packets. Server address is a unique IPv4 or IPv6 address that is assigned to a particular server and used to route information to the server. If the Junos OS device has several interfaces that can reach the RADIUS server, assign an IP address that Junos OS can use for all its communication with the RADIUS server. 2. Include a shared secret password. You must specify a password in the secret password statement. If the password contains spaces, enclose it in quotation marks. The secret password used by the local router or switch must match that used by the server. The secret password configures the password that the Junos OS device uses to access the RADIUS server. [edit groups global system radius-server server-address] 15

16 Junos OS Release 12.1X47 Feature Guide set secret password For example: [edit groups global system radius-server ] set secret $9$gQ4UHf5F36CiH.5Tz9CuO1hreM8xw2oIENVwgZG 3. If necessary, specify a port on which to contact the RADIUS server. By default, port number 1812 is used (as specified in RFC 2865). NOTE: You can also specify an accounting port to send accounting packets with the accounting-port statement. The default is 1813 (as specified in RFC 2866). [edit groups global system radius-server server-address] user@host# set port port-number For example: [edit groups global system radius-server ] user@host# set port Specify the order in which Junos OS attempts authentication. You must include the authentication-order statement in your remote authentication configuration. The example assumes your network includes both RADIUS and TACACS+ servers. In this example, whenever a user attempts to log in, Junos OS begins by querying the RADIUS server for authentication. If it fails, it next attempts authentication with locally configured user accounts. Finally the TACACS+ server is tried. [edit groups global system] user@host# set authentication-order [ authentication-methods ] For example: [edit groups global system] user@host# set authentication-order [ radius password tacplus ] 5. Assign a login class to RADIUS-authenticated users. You can assign different user templates and login classes to RADIUS-authenticated users. This allows RADIUS-authenticated users to be granted different administrative permissions on the Junos OS device. By default, RADIUS-authenticated users use the remote user template and are assigned to the associated class, which is specified in the remote user template, if the remote user template is configured. The username remote is a special case in Junos OS. It acts as a template for users who are authenticated by a remote server, but do not have a locally-configured user account on the device. In this method, Junos OS applies the permissions of the remote template to those authenticated users without a locally defined account. All users mapped to the remote template are of the same login class. 16

17 Configuring RADIUS Server Authentication In the Junos OS configuration, a user template is configured in the same way as a regular local user account, except that no local authentication password is configured because the authentication is remotely performed on the RADIUS server. To use the same permissions for all RADIUS-authenticated users: [edit groups global system login] user@host# set user remote class class For example: [edit groups global system login] user@host# set user remote class super-user To have different login classes be used for different RADIUS-authenticated users, granting them different permissions: a. Create multiple user templates in the Junos OS configuration. Every user template can be assigned a different login class. For example: [edit groups global system login] set user RO class read-only set user OP class operator set user SU class super-user set user remote full-name "default remote access user template" set user remote class read-only b. Have the RADIUS server specify the name of the user template to be applied to the authenticated user. For a RADIUS server to indicate which user template is to be applied, it needs to include the Juniper-Local-User-Name attribute (Vendor 2636, type 1, string) Juniper VSA (vendor-specific attribute) in the RADIUS Access-Accept message. The string value in the Juniper-Local-User-Name must correspond to the name of a configured user template on the device. For a list of relevant Juniper RADIUS VSAs, see Juniper Networks Vendor-Specific RADIUS Attributes. If the Juniper-Local-User-Name is not included in the Access-Accept message or the string contains a user template name that does not exist on the device, the user is assigned to the remote user template, if configured. If it is not configured, authentication fails for the user. After logging in, the remotely authenticated user retains the same username that was used to log in. However, the user inherits the user class from the assigned user template. In a RADIUS server, users can be assigned a Juniper-Local-User-Name string, which indicates the user template to be used in the Junos OS device. From the previous example, the string would be RO, OP, or SU. Configuration of the RADIUS server depends on the server being used. For instructions for the Juniper Steel-Belted Radius server, see Steel-Belted Radius (SBR) Enterprise. For information on using FreeRADIUS, see 17

18 Junos OS Release 12.1X47 Feature Guide Configuring RADIUS System Accounting With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. The framework for RADIUS accounting is described in RFC Tasks for configuring RADIUS system accounting are: 1. Configuring Auditing of User Events on a RADIUS Server on page Specifying RADIUS Server Accounting and Auditing Events on page Configuring RADIUS Server Accounting on page 18 Configuring Auditing of User Events on a RADIUS Server To audit user events, include the following statements at the [edit system accounting] hierarchy level: [edit system accounting] destination { radius { server { server-address { accounting-port port-number; max-outstanding-requests value; port port-number; retry value; secret password; source-address address; timeout seconds; Specifying RADIUS Server Accounting and Auditing Events To specify the events you want to audit when using a RADIUS server for authentication, include the events statement at the [edit system accounting] hierarchy level: [edit system accounting] events [ events ]; events is one or more of the following: login Audit logins change-log Audit configuration changes interactive-commands Audit interactive commands (any command-line input) Configuring RADIUS Server Accounting To configure RADIUS server accounting, include the server statement at the [edit system accounting destination radius] hierarchy level: 18

19 Configuring RADIUS Server Accounting server { server-address { accounting-port port-number; max-outstanding-requests value; port port-number; retry value; secret password; source-address address; timeout seconds; server-address specifies the address of the RADIUS server. To configure multiple RADIUS servers, include multiple server statements. NOTE: If no RADIUS servers are configured at the [edit system accounting destination radius] statement hierarchy level, the Junos OS uses the RADIUS servers configured at the [edit system radius-server] hierarchy level. accounting-port port-number specifies the RADIUS server accounting port number. The default port number is NOTE: If you enable RADIUS accounting at the [edit access profile profile-name accounting-order] hierarchy level, accounting is triggered on the default port of 1813 even if you do not specify a value for the accounting-port statement. You must specify a secret (password) that the local router or switch passes to the RADIUS client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks ( ). In the source-address statement, specify a source address for the RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 or IPv6 address configured on one of the router or switch interfaces. Optionally, you can specify the number of times that the router or switch attempts to contact a RADIUS authentication server by including the retry statement. By default, the router or switch retries three times. You can configure the router or switch to retry from 1 through 10 times. Optionally, you can specify the length of time that the local router or switch waits to receive a response from a RADIUS server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure the timeout to be from 1 through 90 seconds. If you use the enhanced-accounting statement at the [edit system radius-options] hierarchy level, the RADIUS attributes such as access method, remote port, and access privileges can be audited. You can limit the number of attribute values to be displayed for auditing 19

20 Junos OS Release 12.1X47 Feature Guide by using the enhanced-avs-max <number> statement at the [edit system accounting] hierarchy level. [edit system radius-options] enhanced-accounting; [edit system accounting] enhanced-avs-max <number>; When a Juniper Networks router or switch is configured with RADIUS accounting, it sends Accounting-Start and Accounting-Stop messages to the RADIUS server. These messages contain information about user activities such as software logins, configuration changes, and interactive commands. This information is typically used for monitoring a network, collecting usage statistics, and ensuring that users are billed properly. The following example shows three servers ( , , and ) configured for RADIUS accounting: system { accounting { events [ login change-log interactive-commands ]; destination { radius { server { { accounting-port 3333; secret $9$dkafeqwrew; source-address ; retry 3; timeout 3; secret $9$fe3erqwrez; secret $9$f34929ftby; 20

21 destination (Accounting) destination (Accounting) Syntax destination { radius { server { server-address { accounting-port port-number; max-outstanding-requests value; port port-number; retry value; secret password; source-address source-address; timeout seconds; tacplus { server { server-address { port port-number; secret password; single-connection; timeout seconds; Hierarchy Level [edit system accounting] Release Information Statement introduced before Junos OS Release 7.4. radius statement added in Junos OS Release 7.4. Support for IPv6 source address added in Junos OS Release 12.1X47-D15. Description Configure the authentication server. Options The remaining statements are explained separately. See CLI Explorer. Required Privilege Level system To view this statement in the configuration. system-control To add this statement to the configuration. 21

22 Junos OS Release 12.1X47 Feature Guide radius-options Syntax radius-options { attributes { nas-ip-address nas-ip-address; password-protocol mschap-v2; Hierarchy Level [edit system] Release Information Description Statement introduced in Junos OS Release 8.5. Support for network access server (NAS) IPv6 address added in Junos OS Release 12.1X47-D15. Configure RADIUS options for the NAS-IP address for outgoing RADIUS packets and password protocol used in RADIUS packets. Options attributes Configure RADIUS attributes. nas-ip-address nas-ip-address Valid IPv4 or IPv6 address of the NAS requesting user authentication. password-protocol mschap-v2 Protocol MS-CHAPv2, used for password authentication and password changing. Required Privilege Level system To view this statement in the configuration. system-control To add this statement to the configuration. 22

23 radius-server radius-server Syntax radius-server server-address { accounting-port port-number; max-outstanding-requests value; port port-number; retry value; secret password; source-address source-address; timeout seconds; Hierarchy Level [edit system] Release Information Description Statement introduced in Junos OS Release 8.5. Support for IPv6 source address added in Junos OS Release 12.1X47-D15. Configure RADIUS server address for subscriber access management, Layer 2 Tunnelling Protocol (L2TP), or (Point-to-Point Protocol (PPP). To configure multiple RADIUS servers, include multiple radius-server statements. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached. Options server-address Address of the RADIUS server. accounting-port port-number RADIUS server accounting port number. Range: 1 through 65,335 files Default: 1813 port port-number RADIUS server authentication port number. Range: 1 through 65,335 files Default: 1812 retry value Number of times that the router is allowed to attempt to contact a RADIUS server. Range: 1 through 10 Default: 3 secret password Password to use; it can include spaces if the character string is enclosed in quotation marks. max-outstanding-requests value Maximum number of outstanding requests in flight to server. Range: 1 through 65,335 files source-address source-address Valid IPv4 or IPv6 address configured on one of the router or switch interfaces. timeout seconds Amount of time to wait. 23

24 Junos OS Release 12.1X47 Feature Guide Range: 1 through 90 seconds Default: 3 seconds Required Privilege Level system To view this statement in the configuration. system-control To add this statement to the configuration. Chassis Cluster Encrypted Control Link on page 24 Encrypted Control Link Example: Configuring an SRX Series Services Gateway for the High-End as a Chassis Cluster on page 24 Understanding the Low-Impact ISSU Process on Devices in a Chassis Cluster on page 39 internal (Security IPsec) on page 43 request security internal-security-association refresh show chassis cluster interfaces show security internal-security-association Example: Configuring an SRX Series Services Gateway for the High-End as a Chassis Cluster This example shows how to set up basic active/passive chassis clustering on a high-end SRX Series device. Requirements on page 24 Overview on page 26 Configuration on page 28 Verification on page 36 Requirements Before you begin: You need two SRX5800 Services Gateways with identical hardware configurations, one MX240 edge router, and one EX8208 Ethernet Switch. Physically connect the two devices (back-to-back for the fabric and control ports) and ensure that they are the same models. Before the cluster is formed, you must configure control ports for each device, as well as assign a cluster ID and node ID to each device, and then reboot. When the system boots, both the nodes come up as a cluster. NOTE: Control port configuration is required for SRX5400, SRX5600, and SRX5800 devices. No control port configuration is needed for SRX1400, SRX3400, or SRX3600 devices. 24

25 Requirements To ensure secure login, configure the internal IPsec SA. When the internal IPsec is configured, IPsec-based rlogin and remote command (rcmd) are enforced, so an attacker cannot gain privileged access or observe traffic containing administrator commands and outputs. You do not need to configure the internal IPsec on both the nodes. When you commit the configuration, both nodes are synchronized. Only 3des-cbc encryption algorithm is supported. You must ensure that the manual encryption key is ASCII text and 24 bytes long; otherwise, the configuration will result in a commit failure. You have the option to enable the iked-encryption. The device must be rebooted after this option is configured. Enable the iked-encryption: user@host# set security ipsec internal security-association manual encryption ike-ha-link-encryption enable Enable the 3des-cbc encryption algorithm: user@host# set security ipsec internal security-association manual encryption algorithm 3des-cbc Configure the encryption key: user@host# set security ipsec internal security-association manual encryption key ascii-text "$9$x.CNwgDi.Qz6HqORhy8LjHqm5FREyrK8QFSeKMN- 24aUjqF39tu1mftOIhvMjHqf5FApBREy" NOTE: The existing control link access is enhanced to prevent hackers from logging in to the system without authentication through the control link because Telnet access is disabled. Using IPsec for internal communication between devices, the configuration information that passes through the chassis cluster link from the primary node to the secondary node is encrypted. Activate internal IPsec: user@host> request security internal-security-association refresh Use the show chassis cluster interfaces CLI command to verify that internal SA is enabled: user@host> show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface Status Internal SA <- new column 0 em0 Up enabled 1 em1 Down enabled Configure the control port for each device, and commit the configuration. Select FPC 1/13, because the central point is always on the lowest SPC/SPU in the cluster (for this example, it is slot 0). For maximum reliability, place the control ports on a separate SPC from the central point (for this example, use the SPC in slot 1). You must enter the operational mode commands on both devices. For example: 25

26 Junos OS Release 12.1X47 Feature Guide On node 0: set chassis cluster control-ports fpc 1 port 0 user@host# set chassis cluster control-ports fpc 13 port 0 user@host# commit On node 1: user@host# set chassis cluster control-ports fpc 1 port 0 user@host# set chassis cluster control-ports fpc 13 port 0 user@host# commit Set the two devices to cluster mode. A reboot is required to enter into cluster mode after the cluster ID and node ID are set. You can cause the system to boot automatically by including the reboot parameter in the CLI command line. You must enter the operational mode commands on both devices. For example: On node 0: user@host> set chassis cluster cluster-id 1 node 0 reboot On node 1: user@host> set chassis cluster cluster-id 1 node 1 reboot The cluster ID is the same on both devices, but the node ID must be different because one device is node 0 and the other device is node 1. The range for the cluster ID is 1 through 255. Setting a cluster ID to 0 is equivalent to disabling a cluster. Cluster ID greater than 15 can only be set when the fabric and control link interfaces are connected back-to-back. Now the devices are a pair. From this point forward, configuration of the cluster is synchronized between the node members, and the two separate devices function as one device. Overview This example shows how to set up basic active/passive chassis clustering on a high-end SRX Series device. The basic active/passive example is the most common type of chassis cluster. The following high-end SRX Series devices are supported: SRX1400 SRX3400 SRX3600 SRX5400 SRX5600 SRX5800 The basic active/passive chassis cluster consists of two devices: One device actively provides routing, firewall, NAT, VPN, and security services, along with maintaining control of the chassis cluster. 26

27 Overview The other device passively maintains its state for cluster failover capabilities should the active device become inactive. NOTE: This active/passive mode example for the SRX5800 Services Gateway does not describe in detail miscellaneous configurations such as how to configure NAT, security policies, or VPNs. They are essentially the same as they would be for standalone configurations. See NAT Overview, Security Policies Overview, and VPN Overview. However, if you are performing proxy ARP in chassis cluster configurations, you must apply the proxy ARP configurations to the reth interfaces rather than the member interfaces because the RETH interfaces hold the logical configurations. See Configuring Proxy ARP (CLI Procedure). You can also configure separate logical interface configurations using VLANs and trunked interfaces in the SRX5800 Services Gateway. These configurations are similar to the standalone implementations using VLANs and trunked interfaces. Figure 1 on page 28 shows the topology used in this example. 27

28 Junos OS Release 12.1X47 Feature Guide Figure 1: Basic Active/Passive Chassis Clustering on a High-End SRX Series Device Topology Example Configuration CLI Quick Configuration To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. On {primary:node0 [edit] set interfaces fab0 fabric-options member-interfaces ge-11/3/0 set interfaces fab1 fabric-options member-interfaces ge-23/3/0 set groups node0 system host-name SRX set groups node0 interfaces fxp0 unit 0 family inet address /24 set groups node0 system backup-router destination /16 set groups node1 system host-name SRX set groups node1 interfaces fxp0 unit 0 family inet address /24 set groups node1 system backup-router destination /16 set apply-groups ${node 28

29 Configuration set chassis cluster reth-count 2 set chassis cluster redundancy-group 0 node 0 priority 129 set chassis cluster redundancy-group 0 node 1 priority 128 set chassis cluster redundancy-group 1 node 0 priority 129 set chassis cluster redundancy-group 1 node 1 priority 128 set interfaces xe-6/0/0 gigether-options redundant-parent reth0 set interfaces xe-6/1/0 gigether-options redundant-parent reth1 set interfaces xe-18/0/0 gigether-options redundant-parent reth0 set interfaces xe-18/1/0 gigether-options redundant-parent reth1 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address /24 set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address /24 set chassis cluster redundancy-group 1 interface-monitor xe-6/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-6/1/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-18/1/0 weight 255 set chassis cluster control-link-recovery set security zones security-zone untrust interfaces reth0.0 set security zones security-zone trust interfaces reth1.0 set routing-options static route /0 next-hop set routing-options static route /8 next-hop To quickly configure an EX8208 Core Switch, copy the following commands and paste them into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. On {primary:node0 [edit] set interfaces xe-1/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800 set interfaces xe-2/0/0 unit 0 family ethernet-switching port-mode access vlan members SRX5800 set interfaces vlan unit 50 family inet address /24 set vlans SRX5800 vlan-id 50 set vlans SRX5800 l3-interface vlan.50 set routing-options static route /0 next-hop /24 To quickly configure an MX240 edge router, copy the following commands and paste them into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode. On {primary:node0 [edit] set interfaces xe-1/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces xe-2/0/0 encapsulation ethernet-bridge unit 0 family bridge set interfaces irb unit 0 family inet address /24 set routing-options static route /8 next-hop set routing-options static route /0 next-hop (upstream router) set bridge-domains SRX5800 vlan-id X (could be set to none ) set bridge-domains SRX5800 domain-type bridge routing-interface irb.0 set bridge-domains SRX5800 domain-type bridge interface xe-1/0/0 set bridge-domains SRX5800 domain-type bridge interface xe-2/0/0 29