[rbak-nsp] Redback as a LAC

Tomas Lynch tomas.lynch at gmail.com
Thu Dec 11 15:01:17 EST 2014 

Dermont,

If you remove as is the "context local" from the binding your customer
won't authenticate. Thus, before removing that you have to:

1) collect all the domains your subscribers have, let say they are
domain1.net, domain2.net and whatever.com
2) using the domain command, add those domains to the context local as follows:
    context local
     domain domain1.net
     domain domain2.net
     domain whatever.com
3) configure your LAC context with the domain you want to L2TP to an
LNS following the configuration you've read from older emails
4) remove the "context local" keywork from the binding. To remove that
keyword you have to rebind your port and therefore all the current
customers using that VLAN10 will go down and they need to
reauthenticate after you setup the bind again. the commands are

no bind authentication chap context local maximum 10
bind authentication chap maximum 10

So please do this configuration change in a maintenance window if possible.

With that config the SE will redirect each domain to its correspondent context.

Tomás

On Thu, Dec 11, 2014 at 2:17 PM, Dermot Williams
<dermot.williams at imaginegroup.ie> wrote:
> Hi Tomas,
>
> This is what I have:
>
>  dot1q pvc 10 encapsulation multi
>   circuit protocol pppoe
>    bind authentication chap context local maximum 10
>
> are you suggesting that I remove the context from the bind auth... line?
> What impact will that have on my existing subscribers?
>
> Thanks,
>
> Dermot
>
> IP Engineering Manager
> Imagine Communications Group Ltd.
>
> On 11 December 2014 at 16:50, Tomas Lynch <tomas.lynch at gmail.com> wrote:
>>
>> Dermont,
>>
>> Verify your port/vlan configuration, if you have the binding pointing
>> to context local then all the subscribers independent of the realm
>> will try to authenticate in context local.
>>
>> You should have something like the following (please do not copy and
>> paste since some commands maybe wrong):
>>
>>
>> context local
>> domain domain1
>> domain domain2
>> !whatever you have here for example
>> aaa authentication subscribers radius
>> radius server 3.3.3.3 key djsjsi98d9id
>>
>> interface pppoesubscribers multibind
>>  ip address 10.0.0.1/24
>> ip pool 10.0.0.0/24
>>
>> subscribers default
>> ip pool
>> !
>> !
>> context customers-lac
>> aaa authentication subscribers none
>> l2tp peer name LNS-the-other-side media udp remote 1.1.1.1 local 2.2.2.2
>> domain nameoftheLNSdomain
>> !
>> subscriber default
>> tunnel-domain
>> !
>> !end of context
>> port ethernet 1/2
>> encap dot1q
>> dot1q pvc 100 encap pppoe
>> bind authentication pap chap
>> !endofconfig
>>
>> The trick then is in the binding without context if you have a
>> customer user at domain1 is going to authenticate against 3.3.3.3 in
>> context local; a user at nameoftheLNSdomain is going to pppoe against
>> your lac and the ppp to the lns.
>>
>> Tomas Lynch
>>
>>
>>
>>
>> On Wed, Dec 10, 2014 at 11:12 PM, Yury Shefer <shefys at gmail.com> wrote:
>> > Hello,
>> >
>> > May I ask you to share yours access port/dot1q pvc/circuit
>> > configuration?
>> >
>> > On Wed, Dec 10, 2014 at 4:07 PM, Dermot Williams
>> > <dermot.williams at imaginegroup.ie> wrote:
>> >>
>> >> Hi Soe,
>> >>
>> >> Not at present but I'm not expecting it to come up until I have my
>> >> subscribers going into the right context.
>> >>
>> >> Regards,
>> >>
>> >> Dermot
>> >>
>> >> IP Engineering Manager
>> >> Imagine Communications Group Ltd.
>> >>
>> >> On 10 December 2014 at 16:31, Soe Prapti <prapti.soe at gmail.com> wrote:
>> >>>
>> >>> Hi William,
>> >>>
>> >>> Is your tunnel established ? example like this :
>> >>>
>> >>> show l2tp summary
>> >>>
>> >>> Context Name         Peer Name            Local Name           Count
>> >>> Count
>> >>> -------------------- -------------------- -------------------- -----
>> >>> -----
>> >>> local                            ABC                           123
>> >>> 1               0
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Wed, Dec 10, 2014 at 10:29 PM, Dermot Williams
>> >>> <dermot.williams at imaginegroup.ie> wrote:
>> >>>>
>> >>>> Hi list,
>> >>>>
>> >>>> I have some subscribers coming in over PPPoE, some of whom I need to
>> >>>> forward over an L2TP tunnel to an LNS on another provider's network.
>> >>>> These
>> >>>> subscribers are identified by their realm. I've got a context
>> >>>> configured for
>> >>>> this realm/domain - it's basically the same as the config outlined
>> >>>> here:
>> >>>>
>> >>>> https://puck.nether.net/pipermail/redback-nsp/2013-September/001576.html
>> >>>>
>> >>>> The problem I have is that when my test subscriber's PPPoE session
>> >>>> comes
>> >>>> into the local context, the Redback tries to authenticate against my
>> >>>> RADIUS
>> >>>> servers (which fails, obviously) instead of binding the subscriber to
>> >>>> the
>> >>>> context that I've defined for that domain.
>> >>>>
>> >>>> Is there something that I need to configure in the local context to
>> >>>> make
>> >>>> it bind sessions for these subscribers to the correct context?
>> >>>>
>> >
>> > --
>> > Best regards,
>> > Yury.
>> >
>> > _______________________________________________
>> > redback-nsp mailing list
>> > redback-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/redback-nsp
>> >
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>

More information about the redback-nsp mailing list