Send redback-nsp mailing list submissions to redback-nsp@puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/redback-nsp or, via email, send a message with subject or body 'help' to redback-nsp-requ...@puck.nether.net You can reach the person managing the list at redback-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than "Re: Contents of redback-nsp digest..." Today's Topics: 1. Re: Questions about global subscriber authentication (Marcin Kuczera) ---------------------------------------------------------------------- Message: 1 Date: Mon, 16 Apr 2018 18:47:56 +0200 From: Marcin Kuczera <mar...@leon.pl> To: redback-nsp@puck.nether.net Subject: Re: [rbak-nsp] Questions about global subscriber authentication Message-ID: <7b31f95c-09c8-f22a-d8d7-a2e55bac2...@leon.pl> Content-Type: text/plain; charset="utf-8" On 2018-04-16 11:36, Johan Mulder wrote: > Hi, > > I'm currently looking into a setup on a Redback SE1200 in which > subscribers should be moved into separate contexts, depending on the > value of the Context radius attribute. > The situation is like this: > * Customer A and B should both have dedicated contexts in which > subscribers should be terminated. > * There's a bunch of vlans in which PPP subscriber traffic is delivered. > * There's another bunch of vlans in which DHCP subscriber traffic is > delivered. > > The PPP configuration doesn't exist yet, but the DHCP configuration > does. DHCP subscribers are already > bound to a dedicated context (through service clips dhcp context ctx > in dot1q pvc on-demand vlan X to Y), and that should not change. Also, > every > non-global context should have it's own radius server configuration to > authenticate users against. > > So as I said there are vlans in which PPP subscriber traffic is > delivered. I radius it is known which context a user should be routed to > based on the information in the PADI tag (which I assume is included > in the authentication request). > I know it is possible to configure global radius aaa through 'aaa > global authentication subscriber radius context local'. My questions are: > 1. When enabling global aaa authentication, will this authenticate the > DHCP subscribers as well (as in all subscribers in all vlans), even > though they are explicitely bound to a context? As far as I remember - yes > 2. Is it possible to globally authenticate PPP users, and delegate > additional authentication to an aaa configuration in the context where > the user will be bound to? > ?(so basically that means the router should authenticate a user twice, > first one in the local context, second one in the bound context) In my opinion - no, but you might try in lab if this will work (signe aaa operation) Maybe global will be used for all context without explicit radius configuration, and context aaa for all contexts with explicit radius. Marcin > > Thanks. > > -- > Johan Mulder > Cambrium BV > > > _______________________________________________ > redback-nsp mailing list > redback-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/redback-nsp -- Marcin Kuczera / Wiceprezes Zarz?du / CTO +48 32 440 80 71/ marcin.kucz...@leon.pl <mailto:marcin.kucz...@leon.pl> Leon Sp. z o.o. ul. Kili?skiego 33d, 44-200 Rybnik http://www.leon.pl/ INTERNET | TELEWIZJA | TELEFON KRS 0000223101 S?d Rejonowy w Gliwicach Kapita? zak?adowy 576.700 z? NIP: 6332068698 -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20180416/d6c7438d/attachment-0001.html> ------------------------------ Subject: Digest Footer _______________________________________________ redback-nsp mailing list redback-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/redback-nsp ------------------------------ End of redback-nsp Digest, Vol 117, Issue 3 *******************************************