JUNOSe 7.2.x Policy Management Configuration Guide
166 ! Configuring RADIUS-Based Mirroring
You add the trigger to the RADIUS record of the user whose traffic will be mirrored.
In addition, you must include the RADIUS VSAs listed in Ta b l e 2 9 in the mirrored
user’s RADIUS record.
A Mirror-Action setting of 2 specifies that the router does not perform any packet
mirroring–related configuration. This setting can provide additional security by
confusing unauthorized users who attempt to access packet mirroring
communication between the router and the RADIUS server.
Dynamically Created Secure Policies
RADIUS-based packet mirroring uses dynamically created secure policies, which are
based on the RADIUS VSAs that an authorized RADIUS administrator creates. A
policy is created when the packet mirroring action is initiated at the RADIUS server,
and then applied to the interface that is dynamically created for the user. When the
mirroring operation is disabled, the secure policy is deleted.
The E-series router creates a name for the dynamically created policies—the name
consists of the string spl followed by a hexadecimal integer, such as spl_88000008.
The name is displayed by the show secure policy-list command.
Mirroring MLPPP Sessions
When you use RADIUS-based packet mirroring on MLPPP traffic, RADIUS
authentication and authorization is performed on the individual links. The
mirroring-related VSAs are returned with the RADIUS response. For user-initiated
mirroring, which starts when the user logs on, a RADIUS response is returned for
each successful authentication/authorization. For RADIUS-initiated mirroring of a
user who is already logged in, a single RADIUS request is sent for each link.
! If you are mirroring an L2TP session, the packet mirroring operation is enabled
or disabled on a single link that is uniquely identified by the trigger you use (the
RADIUS attributes for Acct-Session-ID or User-Name). For tunneled MLPPP, the
individual links in the MLPPP bundle are mirrored separately. The packet
mirroring configuration fails if you use the Acct-Multi-Session-ID attribute
(RADIUS attribute 50) for the configuration.
NOTE: For IP mirroring, you must include both VSA 59 and 61 or neither. If you use
only one of these two VSAs, the configuration fails.
Table 29: RADIUS-Based Mirroring Attributes
Standard Number Attribute Name Setting
[26-58] Mirror-Action 0 = disable mirroring
1 = enable mirroring
2 = no action
[26-59] Mirror-Identifier String (not null-terminated)
[26-60] Analyzer-IP-Address IP address of analyzer device
[26-61] Analyzer-Port-Number UDP port number of monitoring
application in analyzer device