[rbak-nsp] context limitation on dot1q pvc with clips

Илья Савин savin at orn.ru
Sat Aug 1 05:53:55 EDT 2009 

Hi, Marcin.

You can use NAS-Port-Id radius attribute to find out subscriber's vlan:

	NAS-Port-Id = "2/2 vlan-id 15 clips 201209"

Just put line
	radius attribute nas-port-id format all
in your config.

If you want to know circuit-ID of originator, you must enable on your
switches DHCP-Relay with option 82. In this case Agent-Remote-Id and
Agent-Circuit-Id fields will be sent to radius. From Agent-Circuit-Id you
can extract subscriber's vlan and subscribers port (on switch with
DHCP-Relay), from Agent-Remote-Id you can extract MAC address of that
switch. So, if all your subscribers connected to "smart" switches, that have
DHCP-relay with opt82 function, you can authorize your subscribers not only
on MAC or VLAN, but also on switch MAC address and port number, that
subscriber connected to.

WBR, Ilya Savin.

-----Original Message-----
From: redback-nsp-bounces at puck.nether.net
[mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Marcin Kuczera
Sent: Friday, July 31, 2009 5:26 PM
To: redback-nsp at puck.nether.net
Subject: [rbak-nsp] context limitation on dot1q pvc with clips

hello,

is it possible to create some service filter, that will disallow 
particular dynamic circuit from particular dot1q pvc to be binded with 
context out of the list ?

let's say:
  dot1q pvc 11 encapsulation multi
   bind interface vlan11 clips
   service clips dhcp context clips

in this case interface vlan11 in context clips is used for 
authentication, but if radius reports - bind to interface "x" in context 
"y" with IP address "z" - this will happen (tested).

I have an authorization based only on MAC address, so in this case if 
someone steals other MAC from other dot1q pvc, then will be able to 
attach to other context.

I know that this should be possible via radius, to take under 
consideration circuit-ID of originator, and allow only particular 
contexts from particular listo of circuits, but - can I do it on SEOS 
level ???


Regards,
Marcin
_______________________________________________
redback-nsp mailing list
redback-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/redback-nsp

More information about the redback-nsp mailing list