[rbak-nsp] CLIPS session in context depending on RADIUS

Stefano Rapari s.rapari at gmail.com
Tue Dec 21 13:11:33 EST 2010 

Hi Arjan, 

for binding to a different context, you need to use global authentication.

In summary change the following :

aaa global authentication subscriber radius context local

context local 
aaa authentication subscriber global

If that doesn't work, could you please post the "show subscriber active" for this subscriber ?

Thanks
Stefano

On Dec 21, 2010, at 3:30 PM, Arjan Van Der Oest wrote:

> Hi,
> 
> I'm fairly new to the Redback platform. I'm trying to setup dynamic CLIPS. I'm receiving DSL customers from my telco via a single vlan (i know, don't ask...), they will set option82 with a unique key for each customer.
> 
> The current config is straightforward:
> 
> aaa global authentication subscriber radius context local
> !
> !
> service multiple-contexts
> !
> context local
> !
> aaa authentication subscriber radius  
> !
> radius server <bla> encrypted-key <bla>
> !
> subscriber default
>   dhcp max-addrs 1
> !
> interface kpn-wba-dhcp multibind
>  ip address 94.247.1.1/24
>  ip address 94.247.2.1/24 secondary
>  dhcp server interface
> !
> dhcp server policy
>   default-lease-time 1800
>   maximum-lease-time 3600
>   subnet 94.247.1.0/24
>     range 94.247.1.2 94.247.1.254
>     option router 94.247.1.1
>     option domain-name-server 8.8.8.8 4.4.4.4
>   subnet 94.247.2.0/24
>     range 94.247.2.2 94.247.2.254
>     option router 94.247.2.1
>     option domain-name-server 8.8.8.8 4.4.4.4
> !
> port ethernet 2/3
> description NH-CES-ETH1-7
> no shutdown
> encapsulation dot1q
> dot1q pvc 2001 
>  service clips dhcp source-mac context local
> 
> This works together with this RADIUS config:
> 
> DEFAULT Auth-Type := Accept, Agent-Remote-Id == "PILOT"
>        Service-Type = Outbound-User,
>        Framed-IP-Address = 94.247.2.2,
>        Framed-IP-Netmask = 255.255.255.0,
>        Framed-Route = "94.247.3.0/24",
>        DHCP_Max_Leases = 1
> 
> Session is up and running, the record is matched on the Agent-Remote-ID, regardless of the MAC address (the way I want it).
> 
> Now I'm trying to redirect this CLIPS session to a second instance. So I've configured a context identical to local (testvpn) and I added "Context-Name = testvpn" to RADIUS. But somehow the Redback still tries to bind it to local. When I change the Framed-IP-Address (for example 192.168.1.1) then it fails to bind the clips, because this IP is obviously not present in local (but I've actually added it to the testvpn context).
> 
> What am I missing here? Fingerpoints are appreciated.
> 
> -- 
> Met vriendelijke groet,
> 
> Arjan van der Oest
> Senior Network & Systems Engineer / Security Officer
> 
> Voiceworks BV - Editiestraat 29 - 1321 NG Almere
> Mobile : (+31) (0)36 7600 197
> Voiceworks winnaar Gouden FD Gazelle Award 2010 http://bit.ly/eksf8V
> 
> 
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp

More information about the redback-nsp mailing list