[rbak-nsp] Redback as a LAC

Dermot Williams dermot.williams at imaginegroup.ie
Fri Dec 12 10:06:45 EST 2014 

Tomas,

You are a font of knowledge - many thanks for the pointers, I will test
them over the next days.

Regards,

Dermot

IP Engineering Manager
Imagine Communications Group Ltd.

On 11 December 2014 at 21:46, Tomas Lynch <tomas.lynch at gmail.com> wrote:
>
> Then use "aaa last-resort context local" for those without domain or
> with unknown domain.
>
> On Thu, Dec 11, 2014 at 4:14 PM, Dermot Williams
> <dermot.williams at imaginegroup.ie> wrote:
> > That's going to cause a bit of a headache for me since we aren't using
> > domains for some of our subscribers. Might have to go back to the drawing
> > board on this one!
> >
> > Thanks,
> >
> > Dermot
> >
> > IP Engineering Manager
> > Imagine Communications Group Ltd.
> >
> > On 11 December 2014 at 20:01, Tomas Lynch <tomas.lynch at gmail.com> wrote:
> >>
> >> Dermont,
> >>
> >> If you remove as is the "context local" from the binding your customer
> >> won't authenticate. Thus, before removing that you have to:
> >>
> >> 1) collect all the domains your subscribers have, let say they are
> >> domain1.net, domain2.net and whatever.com
> >> 2) using the domain command, add those domains to the context local as
> >> follows:
> >>     context local
> >>      domain domain1.net
> >>      domain domain2.net
> >>      domain whatever.com
> >> 3) configure your LAC context with the domain you want to L2TP to an
> >> LNS following the configuration you've read from older emails
> >> 4) remove the "context local" keywork from the binding. To remove that
> >> keyword you have to rebind your port and therefore all the current
> >> customers using that VLAN10 will go down and they need to
> >> reauthenticate after you setup the bind again. the commands are
> >>
> >> no bind authentication chap context local maximum 10
> >> bind authentication chap maximum 10
> >>
> >> So please do this configuration change in a maintenance window if
> >> possible.
> >>
> >> With that config the SE will redirect each domain to its correspondent
> >> context.
> >>
> >> Tomás
> >>
> >> On Thu, Dec 11, 2014 at 2:17 PM, Dermot Williams
> >> <dermot.williams at imaginegroup.ie> wrote:
> >> > Hi Tomas,
> >> >
> >> > This is what I have:
> >> >
> >> >  dot1q pvc 10 encapsulation multi
> >> >   circuit protocol pppoe
> >> >    bind authentication chap context local maximum 10
> >> >
> >> > are you suggesting that I remove the context from the bind auth...
> line?
> >> > What impact will that have on my existing subscribers?
> >> >
> >> > Thanks,
> >> >
> >> > Dermot
> >> >
> >> > IP Engineering Manager
> >> > Imagine Communications Group Ltd.
> >> >
> >> > On 11 December 2014 at 16:50, Tomas Lynch <tomas.lynch at gmail.com>
> wrote:
> >> >>
> >> >> Dermont,
> >> >>
> >> >> Verify your port/vlan configuration, if you have the binding pointing
> >> >> to context local then all the subscribers independent of the realm
> >> >> will try to authenticate in context local.
> >> >>
> >> >> You should have something like the following (please do not copy and
> >> >> paste since some commands maybe wrong):
> >> >>
> >> >>
> >> >> context local
> >> >> domain domain1
> >> >> domain domain2
> >> >> !whatever you have here for example
> >> >> aaa authentication subscribers radius
> >> >> radius server 3.3.3.3 key djsjsi98d9id
> >> >>
> >> >> interface pppoesubscribers multibind
> >> >>  ip address 10.0.0.1/24
> >> >> ip pool 10.0.0.0/24
> >> >>
> >> >> subscribers default
> >> >> ip pool
> >> >> !
> >> >> !
> >> >> context customers-lac
> >> >> aaa authentication subscribers none
> >> >> l2tp peer name LNS-the-other-side media udp remote 1.1.1.1 local
> >> >> 2.2.2.2
> >> >> domain nameoftheLNSdomain
> >> >> !
> >> >> subscriber default
> >> >> tunnel-domain
> >> >> !
> >> >> !end of context
> >> >> port ethernet 1/2
> >> >> encap dot1q
> >> >> dot1q pvc 100 encap pppoe
> >> >> bind authentication pap chap
> >> >> !endofconfig
> >> >>
> >> >> The trick then is in the binding without context if you have a
> >> >> customer user at domain1 is going to authenticate against 3.3.3.3 in
> >> >> context local; a user at nameoftheLNSdomain is going to pppoe against
> >> >> your lac and the ppp to the lns.
> >> >>
> >> >> Tomas Lynch
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> On Wed, Dec 10, 2014 at 11:12 PM, Yury Shefer <shefys at gmail.com>
> wrote:
> >> >> > Hello,
> >> >> >
> >> >> > May I ask you to share yours access port/dot1q pvc/circuit
> >> >> > configuration?
> >> >> >
> >> >> > On Wed, Dec 10, 2014 at 4:07 PM, Dermot Williams
> >> >> > <dermot.williams at imaginegroup.ie> wrote:
> >> >> >>
> >> >> >> Hi Soe,
> >> >> >>
> >> >> >> Not at present but I'm not expecting it to come up until I have my
> >> >> >> subscribers going into the right context.
> >> >> >>
> >> >> >> Regards,
> >> >> >>
> >> >> >> Dermot
> >> >> >>
> >> >> >> IP Engineering Manager
> >> >> >> Imagine Communications Group Ltd.
> >> >> >>
> >> >> >> On 10 December 2014 at 16:31, Soe Prapti <prapti.soe at gmail.com>
> >> >> >> wrote:
> >> >> >>>
> >> >> >>> Hi William,
> >> >> >>>
> >> >> >>> Is your tunnel established ? example like this :
> >> >> >>>
> >> >> >>> show l2tp summary
> >> >> >>>
> >> >> >>> Context Name         Peer Name            Local Name
> >> >> >>> Count
> >> >> >>> Count
> >> >> >>> -------------------- -------------------- --------------------
> >> >> >>> -----
> >> >> >>> -----
> >> >> >>> local                            ABC
>  123
> >> >> >>> 1               0
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>> On Wed, Dec 10, 2014 at 10:29 PM, Dermot Williams
> >> >> >>> <dermot.williams at imaginegroup.ie> wrote:
> >> >> >>>>
> >> >> >>>> Hi list,
> >> >> >>>>
> >> >> >>>> I have some subscribers coming in over PPPoE, some of whom I
> need
> >> >> >>>> to
> >> >> >>>> forward over an L2TP tunnel to an LNS on another provider's
> >> >> >>>> network.
> >> >> >>>> These
> >> >> >>>> subscribers are identified by their realm. I've got a context
> >> >> >>>> configured for
> >> >> >>>> this realm/domain - it's basically the same as the config
> outlined
> >> >> >>>> here:
> >> >> >>>>
> >> >> >>>>
> >> >> >>>>
> https://puck.nether.net/pipermail/redback-nsp/2013-September/001576.html
> >> >> >>>>
> >> >> >>>> The problem I have is that when my test subscriber's PPPoE
> session
> >> >> >>>> comes
> >> >> >>>> into the local context, the Redback tries to authenticate
> against
> >> >> >>>> my
> >> >> >>>> RADIUS
> >> >> >>>> servers (which fails, obviously) instead of binding the
> subscriber
> >> >> >>>> to
> >> >> >>>> the
> >> >> >>>> context that I've defined for that domain.
> >> >> >>>>
> >> >> >>>> Is there something that I need to configure in the local context
> >> >> >>>> to
> >> >> >>>> make
> >> >> >>>> it bind sessions for these subscribers to the correct context?
> >> >> >>>>
> >> >> >
> >> >> > --
> >> >> > Best regards,
> >> >> > Yury.
> >> >> >
> >> >> > _______________________________________________
> >> >> > redback-nsp mailing list
> >> >> > redback-nsp at puck.nether.net
> >> >> > https://puck.nether.net/mailman/listinfo/redback-nsp
> >> >> >
> >> >>
> >> >> --
> >> >> This message has been scanned for viruses and
> >> >> dangerous content by MailScanner, and is
> >> >> believed to be clean.
> >> >>
> >> >
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20141212/c1ed2a6f/attachment-0001.html>

More information about the redback-nsp mailing list