[rbak-nsp] Redback as a LAC

Dermot Williams dermot.williams at imaginegroup.ie
Thu Dec 11 16:14:10 EST 2014 

That's going to cause a bit of a headache for me since we aren't using
domains for some of our subscribers. Might have to go back to the drawing
board on this one!

Thanks,

Dermot

IP Engineering Manager
Imagine Communications Group Ltd.

On 11 December 2014 at 20:01, Tomas Lynch <tomas.lynch at gmail.com> wrote:

> Dermont,
>
> If you remove as is the "context local" from the binding your customer
> won't authenticate. Thus, before removing that you have to:
>
> 1) collect all the domains your subscribers have, let say they are
> domain1.net, domain2.net and whatever.com
> 2) using the domain command, add those domains to the context local as
> follows:
>     context local
>      domain domain1.net
>      domain domain2.net
>      domain whatever.com
> 3) configure your LAC context with the domain you want to L2TP to an
> LNS following the configuration you've read from older emails
> 4) remove the "context local" keywork from the binding. To remove that
> keyword you have to rebind your port and therefore all the current
> customers using that VLAN10 will go down and they need to
> reauthenticate after you setup the bind again. the commands are
>
> no bind authentication chap context local maximum 10
> bind authentication chap maximum 10
>
> So please do this configuration change in a maintenance window if possible.
>
> With that config the SE will redirect each domain to its correspondent
> context.
>
> Tomás
>
> On Thu, Dec 11, 2014 at 2:17 PM, Dermot Williams
> <dermot.williams at imaginegroup.ie> wrote:
> > Hi Tomas,
> >
> > This is what I have:
> >
> >  dot1q pvc 10 encapsulation multi
> >   circuit protocol pppoe
> >    bind authentication chap context local maximum 10
> >
> > are you suggesting that I remove the context from the bind auth... line?
> > What impact will that have on my existing subscribers?
> >
> > Thanks,
> >
> > Dermot
> >
> > IP Engineering Manager
> > Imagine Communications Group Ltd.
> >
> > On 11 December 2014 at 16:50, Tomas Lynch <tomas.lynch at gmail.com> wrote:
> >>
> >> Dermont,
> >>
> >> Verify your port/vlan configuration, if you have the binding pointing
> >> to context local then all the subscribers independent of the realm
> >> will try to authenticate in context local.
> >>
> >> You should have something like the following (please do not copy and
> >> paste since some commands maybe wrong):
> >>
> >>
> >> context local
> >> domain domain1
> >> domain domain2
> >> !whatever you have here for example
> >> aaa authentication subscribers radius
> >> radius server 3.3.3.3 key djsjsi98d9id
> >>
> >> interface pppoesubscribers multibind
> >>  ip address 10.0.0.1/24
> >> ip pool 10.0.0.0/24
> >>
> >> subscribers default
> >> ip pool
> >> !
> >> !
> >> context customers-lac
> >> aaa authentication subscribers none
> >> l2tp peer name LNS-the-other-side media udp remote 1.1.1.1 local 2.2.2.2
> >> domain nameoftheLNSdomain
> >> !
> >> subscriber default
> >> tunnel-domain
> >> !
> >> !end of context
> >> port ethernet 1/2
> >> encap dot1q
> >> dot1q pvc 100 encap pppoe
> >> bind authentication pap chap
> >> !endofconfig
> >>
> >> The trick then is in the binding without context if you have a
> >> customer user at domain1 is going to authenticate against 3.3.3.3 in
> >> context local; a user at nameoftheLNSdomain is going to pppoe against
> >> your lac and the ppp to the lns.
> >>
> >> Tomas Lynch
> >>
> >>
> >>
> >>
> >> On Wed, Dec 10, 2014 at 11:12 PM, Yury Shefer <shefys at gmail.com> wrote:
> >> > Hello,
> >> >
> >> > May I ask you to share yours access port/dot1q pvc/circuit
> >> > configuration?
> >> >
> >> > On Wed, Dec 10, 2014 at 4:07 PM, Dermot Williams
> >> > <dermot.williams at imaginegroup.ie> wrote:
> >> >>
> >> >> Hi Soe,
> >> >>
> >> >> Not at present but I'm not expecting it to come up until I have my
> >> >> subscribers going into the right context.
> >> >>
> >> >> Regards,
> >> >>
> >> >> Dermot
> >> >>
> >> >> IP Engineering Manager
> >> >> Imagine Communications Group Ltd.
> >> >>
> >> >> On 10 December 2014 at 16:31, Soe Prapti <prapti.soe at gmail.com>
> wrote:
> >> >>>
> >> >>> Hi William,
> >> >>>
> >> >>> Is your tunnel established ? example like this :
> >> >>>
> >> >>> show l2tp summary
> >> >>>
> >> >>> Context Name         Peer Name            Local Name           Count
> >> >>> Count
> >> >>> -------------------- -------------------- -------------------- -----
> >> >>> -----
> >> >>> local                            ABC                           123
> >> >>> 1               0
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> On Wed, Dec 10, 2014 at 10:29 PM, Dermot Williams
> >> >>> <dermot.williams at imaginegroup.ie> wrote:
> >> >>>>
> >> >>>> Hi list,
> >> >>>>
> >> >>>> I have some subscribers coming in over PPPoE, some of whom I need
> to
> >> >>>> forward over an L2TP tunnel to an LNS on another provider's
> network.
> >> >>>> These
> >> >>>> subscribers are identified by their realm. I've got a context
> >> >>>> configured for
> >> >>>> this realm/domain - it's basically the same as the config outlined
> >> >>>> here:
> >> >>>>
> >> >>>>
> https://puck.nether.net/pipermail/redback-nsp/2013-September/001576.html
> >> >>>>
> >> >>>> The problem I have is that when my test subscriber's PPPoE session
> >> >>>> comes
> >> >>>> into the local context, the Redback tries to authenticate against
> my
> >> >>>> RADIUS
> >> >>>> servers (which fails, obviously) instead of binding the subscriber
> to
> >> >>>> the
> >> >>>> context that I've defined for that domain.
> >> >>>>
> >> >>>> Is there something that I need to configure in the local context to
> >> >>>> make
> >> >>>> it bind sessions for these subscribers to the correct context?
> >> >>>>
> >> >
> >> > --
> >> > Best regards,
> >> > Yury.
> >> >
> >> > _______________________________________________
> >> > redback-nsp mailing list
> >> > redback-nsp at puck.nether.net
> >> > https://puck.nether.net/mailman/listinfo/redback-nsp
> >> >
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20141211/6ceaa2ca/attachment-0001.html>

More information about the redback-nsp mailing list