Send redback-nsp mailing list submissions to
redback-nsp@puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/redback-nsp
or, via email, send a message with subject or body 'help' to
redback-nsp-requ...@puck.nether.net
You can reach the person managing the list at
redback-nsp-ow...@puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of redback-nsp digest..."
Today's Topics:
1. Re: Questions about global subscriber authentication
(Marcin Kuczera)
----------------------------------------------------------------------
Message: 1
Date: Mon, 16 Apr 2018 18:47:56 +0200
From: Marcin Kuczera <mar...@leon.pl>
To: redback-nsp@puck.nether.net
Subject: Re: [rbak-nsp] Questions about global subscriber
authentication
Message-ID: <7b31f95c-09c8-f22a-d8d7-a2e55bac2...@leon.pl>
Content-Type: text/plain; charset="utf-8"
On 2018-04-16 11:36, Johan Mulder wrote:
> Hi,
>
> I'm currently looking into a setup on a Redback SE1200 in which
> subscribers should be moved into separate contexts, depending on the
> value of the Context radius attribute.
> The situation is like this:
> * Customer A and B should both have dedicated contexts in which
> subscribers should be terminated.
> * There's a bunch of vlans in which PPP subscriber traffic is delivered.
> * There's another bunch of vlans in which DHCP subscriber traffic is
> delivered.
>
> The PPP configuration doesn't exist yet, but the DHCP configuration
> does. DHCP subscribers are already
> bound to a dedicated context (through service clips dhcp context ctx
> in dot1q pvc on-demand vlan X to Y), and that should not change. Also,
> every
> non-global context should have it's own radius server configuration to
> authenticate users against.
>
> So as I said there are vlans in which PPP subscriber traffic is
> delivered. I radius it is known which context a user should be routed to
> based on the information in the PADI tag (which I assume is included
> in the authentication request).
> I know it is possible to configure global radius aaa through 'aaa
> global authentication subscriber radius context local'. My questions are:
> 1. When enabling global aaa authentication, will this authenticate the
> DHCP subscribers as well (as in all subscribers in all vlans), even
> though they are explicitely bound to a context?
As far as I remember - yes
> 2. Is it possible to globally authenticate PPP users, and delegate
> additional authentication to an aaa configuration in the context where
> the user will be bound to?
> ?(so basically that means the router should authenticate a user twice,
> first one in the local context, second one in the bound context)
In my opinion - no, but you might try in lab if this will work (signe
aaa operation)
Maybe global will be used for all context without explicit radius
configuration, and context aaa for all contexts with explicit radius.
Marcin
>
> Thanks.
>
> --
> Johan Mulder
> Cambrium BV
>
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
--
Marcin Kuczera / Wiceprezes Zarz?du / CTO
+48 32 440 80 71/ marcin.kucz...@leon.pl <mailto:marcin.kucz...@leon.pl>
Leon Sp. z o.o.
ul. Kili?skiego 33d, 44-200 Rybnik
http://www.leon.pl/
INTERNET | TELEWIZJA | TELEFON
KRS 0000223101 S?d Rejonowy w Gliwicach
Kapita? zak?adowy 576.700 z?
NIP: 6332068698
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/redback-nsp/attachments/20180416/d6c7438d/attachment-0001.html>
------------------------------
Subject: Digest Footer
_______________________________________________
redback-nsp mailing list
redback-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/redback-nsp
------------------------------
End of redback-nsp Digest, Vol 117, Issue 3
*******************************************
