Send redback-nsp mailing list submissions to

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to

You can reach the person managing the list at

When replying, please edit your Subject line so it is more specific
than "Re: Contents of redback-nsp digest..."

Today's Topics:

   1. Questions about global subscriber authentication (Johan Mulder)


Message: 1
Date: Mon, 16 Apr 2018 11:36:33 +0200
From: Johan Mulder <>
Subject: [rbak-nsp] Questions about global subscriber authentication
Message-ID: <>
Content-Type: text/plain; charset="utf-8"


I'm currently looking into a setup on a Redback SE1200 in which
subscribers should be moved into separate contexts, depending on the
value of the Context radius attribute.
The situation is like this:
* Customer A and B should both have dedicated contexts in which
subscribers should be terminated.
* There's a bunch of vlans in which PPP subscriber traffic is delivered.
* There's another bunch of vlans in which DHCP subscriber traffic is

The PPP configuration doesn't exist yet, but the DHCP configuration
does. DHCP subscribers are already
bound to a dedicated context (through service clips dhcp context ctx in
dot1q pvc on-demand vlan X to Y), and that should not change. Also, every
non-global context should have it's own radius server configuration to
authenticate users against.

So as I said there are vlans in which PPP subscriber traffic is
delivered. I radius it is known which context a user should be routed to
based on the information in the PADI tag (which I assume is included in
the authentication request).
I know it is possible to configure global radius aaa through 'aaa global
authentication subscriber radius context local'. My questions are:
1. When enabling global aaa authentication, will this authenticate the
DHCP subscribers as well (as in all subscribers in all vlans), even
though they are explicitely bound to a context?
2. Is it possible to globally authenticate PPP users, and delegate
additional authentication to an aaa configuration in the context where
the user will be bound to?
?(so basically that means the router should authenticate a user twice,
first one in the local context, second one in the bound context)


Johan Mulder
Cambrium BV

-------------- next part --------------
An HTML attachment was scrubbed...


Subject: Digest Footer

redback-nsp mailing list


End of redback-nsp Digest, Vol 117, Issue 2

Reply via email to