[rbak-nsp] Redback as a LAC

Tomas Lynch tomas.lynch at gmail.com
Thu Dec 11 16:46:58 EST 2014


Then use "aaa last-resort context local" for those without domain or
with unknown domain.

On Thu, Dec 11, 2014 at 4:14 PM, Dermot Williams
<dermot.williams at imaginegroup.ie> wrote:
> That's going to cause a bit of a headache for me since we aren't using
> domains for some of our subscribers. Might have to go back to the drawing
> board on this one!
>
> Thanks,
>
> Dermot
>
> IP Engineering Manager
> Imagine Communications Group Ltd.
>
> On 11 December 2014 at 20:01, Tomas Lynch <tomas.lynch at gmail.com> wrote:
>>
>> Dermont,
>>
>> If you remove as is the "context local" from the binding your customer
>> won't authenticate. Thus, before removing that you have to:
>>
>> 1) collect all the domains your subscribers have, let say they are
>> domain1.net, domain2.net and whatever.com
>> 2) using the domain command, add those domains to the context local as
>> follows:
>>     context local
>>      domain domain1.net
>>      domain domain2.net
>>      domain whatever.com
>> 3) configure your LAC context with the domain you want to L2TP to an
>> LNS following the configuration you've read from older emails
>> 4) remove the "context local" keywork from the binding. To remove that
>> keyword you have to rebind your port and therefore all the current
>> customers using that VLAN10 will go down and they need to
>> reauthenticate after you setup the bind again. the commands are
>>
>> no bind authentication chap context local maximum 10
>> bind authentication chap maximum 10
>>
>> So please do this configuration change in a maintenance window if
>> possible.
>>
>> With that config the SE will redirect each domain to its correspondent
>> context.
>>
>> Tomás
>>
>> On Thu, Dec 11, 2014 at 2:17 PM, Dermot Williams
>> <dermot.williams at imaginegroup.ie> wrote:
>> > Hi Tomas,
>> >
>> > This is what I have:
>> >
>> >  dot1q pvc 10 encapsulation multi
>> >   circuit protocol pppoe
>> >    bind authentication chap context local maximum 10
>> >
>> > are you suggesting that I remove the context from the bind auth... line?
>> > What impact will that have on my existing subscribers?
>> >
>> > Thanks,
>> >
>> > Dermot
>> >
>> > IP Engineering Manager
>> > Imagine Communications Group Ltd.
>> >
>> > On 11 December 2014 at 16:50, Tomas Lynch <tomas.lynch at gmail.com> wrote:
>> >>
>> >> Dermont,
>> >>
>> >> Verify your port/vlan configuration, if you have the binding pointing
>> >> to context local then all the subscribers independent of the realm
>> >> will try to authenticate in context local.
>> >>
>> >> You should have something like the following (please do not copy and
>> >> paste since some commands maybe wrong):
>> >>
>> >>
>> >> context local
>> >> domain domain1
>> >> domain domain2
>> >> !whatever you have here for example
>> >> aaa authentication subscribers radius
>> >> radius server 3.3.3.3 key djsjsi98d9id
>> >>
>> >> interface pppoesubscribers multibind
>> >>  ip address 10.0.0.1/24
>> >> ip pool 10.0.0.0/24
>> >>
>> >> subscribers default
>> >> ip pool
>> >> !
>> >> !
>> >> context customers-lac
>> >> aaa authentication subscribers none
>> >> l2tp peer name LNS-the-other-side media udp remote 1.1.1.1 local
>> >> 2.2.2.2
>> >> domain nameoftheLNSdomain
>> >> !
>> >> subscriber default
>> >> tunnel-domain
>> >> !
>> >> !end of context
>> >> port ethernet 1/2
>> >> encap dot1q
>> >> dot1q pvc 100 encap pppoe
>> >> bind authentication pap chap
>> >> !endofconfig
>> >>
>> >> The trick then is in the binding without context if you have a
>> >> customer user at domain1 is going to authenticate against 3.3.3.3 in
>> >> context local; a user at nameoftheLNSdomain is going to pppoe against
>> >> your lac and the ppp to the lns.
>> >>
>> >> Tomas Lynch
>> >>
>> >>
>> >>
>> >>
>> >> On Wed, Dec 10, 2014 at 11:12 PM, Yury Shefer <shefys at gmail.com> wrote:
>> >> > Hello,
>> >> >
>> >> > May I ask you to share yours access port/dot1q pvc/circuit
>> >> > configuration?
>> >> >
>> >> > On Wed, Dec 10, 2014 at 4:07 PM, Dermot Williams
>> >> > <dermot.williams at imaginegroup.ie> wrote:
>> >> >>
>> >> >> Hi Soe,
>> >> >>
>> >> >> Not at present but I'm not expecting it to come up until I have my
>> >> >> subscribers going into the right context.
>> >> >>
>> >> >> Regards,
>> >> >>
>> >> >> Dermot
>> >> >>
>> >> >> IP Engineering Manager
>> >> >> Imagine Communications Group Ltd.
>> >> >>
>> >> >> On 10 December 2014 at 16:31, Soe Prapti <prapti.soe at gmail.com>
>> >> >> wrote:
>> >> >>>
>> >> >>> Hi William,
>> >> >>>
>> >> >>> Is your tunnel established ? example like this :
>> >> >>>
>> >> >>> show l2tp summary
>> >> >>>
>> >> >>> Context Name         Peer Name            Local Name
>> >> >>> Count
>> >> >>> Count
>> >> >>> -------------------- -------------------- --------------------
>> >> >>> -----
>> >> >>> -----
>> >> >>> local                            ABC                           123
>> >> >>> 1               0
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> On Wed, Dec 10, 2014 at 10:29 PM, Dermot Williams
>> >> >>> <dermot.williams at imaginegroup.ie> wrote:
>> >> >>>>
>> >> >>>> Hi list,
>> >> >>>>
>> >> >>>> I have some subscribers coming in over PPPoE, some of whom I need
>> >> >>>> to
>> >> >>>> forward over an L2TP tunnel to an LNS on another provider's
>> >> >>>> network.
>> >> >>>> These
>> >> >>>> subscribers are identified by their realm. I've got a context
>> >> >>>> configured for
>> >> >>>> this realm/domain - it's basically the same as the config outlined
>> >> >>>> here:
>> >> >>>>
>> >> >>>>
>> >> >>>> https://puck.nether.net/pipermail/redback-nsp/2013-September/001576.html
>> >> >>>>
>> >> >>>> The problem I have is that when my test subscriber's PPPoE session
>> >> >>>> comes
>> >> >>>> into the local context, the Redback tries to authenticate against
>> >> >>>> my
>> >> >>>> RADIUS
>> >> >>>> servers (which fails, obviously) instead of binding the subscriber
>> >> >>>> to
>> >> >>>> the
>> >> >>>> context that I've defined for that domain.
>> >> >>>>
>> >> >>>> Is there something that I need to configure in the local context
>> >> >>>> to
>> >> >>>> make
>> >> >>>> it bind sessions for these subscribers to the correct context?
>> >> >>>>
>> >> >
>> >> > --
>> >> > Best regards,
>> >> > Yury.
>> >> >
>> >> > _______________________________________________
>> >> > redback-nsp mailing list
>> >> > redback-nsp at puck.nether.net
>> >> > https://puck.nether.net/mailman/listinfo/redback-nsp
>> >> >
>> >>
>> >> --
>> >> This message has been scanned for viruses and
>> >> dangerous content by MailScanner, and is
>> >> believed to be clean.
>> >>
>> >
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>



More information about the redback-nsp mailing list