<div dir="ltr">That's going to cause a bit of a headache for me since we aren't using domains for some of our subscribers. Might have to go back to the drawing board on this one!<div><br></div><div>Thanks,</div><div><br></div><div>Dermot</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">IP Engineering Manager<br>Imagine Communications Group Ltd.<br></div></div></div>
<br><div class="gmail_quote">On 11 December 2014 at 20:01, Tomas Lynch <span dir="ltr"><<a href="mailto:tomas.lynch@gmail.com" target="_blank">tomas.lynch@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dermont,<br>
<br>
If you remove as is the "context local" from the binding your customer<br>
won't authenticate. Thus, before removing that you have to:<br>
<br>
1) collect all the domains your subscribers have, let say they are<br>
<a href="http://domain1.net" target="_blank">domain1.net</a>, <a href="http://domain2.net" target="_blank">domain2.net</a> and <a href="http://whatever.com" target="_blank">whatever.com</a><br>
2) using the domain command, add those domains to the context local as follows:<br>
context local<br>
domain <a href="http://domain1.net" target="_blank">domain1.net</a><br>
domain <a href="http://domain2.net" target="_blank">domain2.net</a><br>
domain <a href="http://whatever.com" target="_blank">whatever.com</a><br>
3) configure your LAC context with the domain you want to L2TP to an<br>
LNS following the configuration you've read from older emails<br>
4) remove the "context local" keywork from the binding. To remove that<br>
keyword you have to rebind your port and therefore all the current<br>
customers using that VLAN10 will go down and they need to<br>
reauthenticate after you setup the bind again. the commands are<br>
<br>
no bind authentication chap context local maximum 10<br>
bind authentication chap maximum 10<br>
<br>
So please do this configuration change in a maintenance window if possible.<br>
<br>
With that config the SE will redirect each domain to its correspondent context.<br>
<br>
Tomás<br>
<br>
On Thu, Dec 11, 2014 at 2:17 PM, Dermot Williams<br>
<div class="HOEnZb"><div class="h5"><<a href="mailto:dermot.williams@imaginegroup.ie">dermot.williams@imaginegroup.ie</a>> wrote:<br>
> Hi Tomas,<br>
><br>
> This is what I have:<br>
><br>
> dot1q pvc 10 encapsulation multi<br>
> circuit protocol pppoe<br>
> bind authentication chap context local maximum 10<br>
><br>
> are you suggesting that I remove the context from the bind auth... line?<br>
> What impact will that have on my existing subscribers?<br>
><br>
> Thanks,<br>
><br>
> Dermot<br>
><br>
> IP Engineering Manager<br>
> Imagine Communications Group Ltd.<br>
><br>
> On 11 December 2014 at 16:50, Tomas Lynch <<a href="mailto:tomas.lynch@gmail.com">tomas.lynch@gmail.com</a>> wrote:<br>
>><br>
>> Dermont,<br>
>><br>
>> Verify your port/vlan configuration, if you have the binding pointing<br>
>> to context local then all the subscribers independent of the realm<br>
>> will try to authenticate in context local.<br>
>><br>
>> You should have something like the following (please do not copy and<br>
>> paste since some commands maybe wrong):<br>
>><br>
>><br>
>> context local<br>
>> domain domain1<br>
>> domain domain2<br>
>> !whatever you have here for example<br>
>> aaa authentication subscribers radius<br>
>> radius server 3.3.3.3 key djsjsi98d9id<br>
>><br>
>> interface pppoesubscribers multibind<br>
>> ip address <a href="http://10.0.0.1/24" target="_blank">10.0.0.1/24</a><br>
>> ip pool <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a><br>
>><br>
>> subscribers default<br>
>> ip pool<br>
>> !<br>
>> !<br>
>> context customers-lac<br>
>> aaa authentication subscribers none<br>
>> l2tp peer name LNS-the-other-side media udp remote 1.1.1.1 local 2.2.2.2<br>
>> domain nameoftheLNSdomain<br>
>> !<br>
>> subscriber default<br>
>> tunnel-domain<br>
>> !<br>
>> !end of context<br>
>> port ethernet 1/2<br>
>> encap dot1q<br>
>> dot1q pvc 100 encap pppoe<br>
>> bind authentication pap chap<br>
>> !endofconfig<br>
>><br>
>> The trick then is in the binding without context if you have a<br>
>> customer user@domain1 is going to authenticate against 3.3.3.3 in<br>
>> context local; a user@nameoftheLNSdomain is going to pppoe against<br>
>> your lac and the ppp to the lns.<br>
>><br>
>> Tomas Lynch<br>
>><br>
>><br>
>><br>
>><br>
>> On Wed, Dec 10, 2014 at 11:12 PM, Yury Shefer <<a href="mailto:shefys@gmail.com">shefys@gmail.com</a>> wrote:<br>
>> > Hello,<br>
>> ><br>
>> > May I ask you to share yours access port/dot1q pvc/circuit<br>
>> > configuration?<br>
>> ><br>
>> > On Wed, Dec 10, 2014 at 4:07 PM, Dermot Williams<br>
>> > <<a href="mailto:dermot.williams@imaginegroup.ie">dermot.williams@imaginegroup.ie</a>> wrote:<br>
>> >><br>
>> >> Hi Soe,<br>
>> >><br>
>> >> Not at present but I'm not expecting it to come up until I have my<br>
>> >> subscribers going into the right context.<br>
>> >><br>
>> >> Regards,<br>
>> >><br>
>> >> Dermot<br>
>> >><br>
>> >> IP Engineering Manager<br>
>> >> Imagine Communications Group Ltd.<br>
>> >><br>
>> >> On 10 December 2014 at 16:31, Soe Prapti <<a href="mailto:prapti.soe@gmail.com">prapti.soe@gmail.com</a>> wrote:<br>
>> >>><br>
>> >>> Hi William,<br>
>> >>><br>
>> >>> Is your tunnel established ? example like this :<br>
>> >>><br>
>> >>> show l2tp summary<br>
>> >>><br>
>> >>> Context Name Peer Name Local Name Count<br>
>> >>> Count<br>
>> >>> -------------------- -------------------- -------------------- -----<br>
>> >>> -----<br>
>> >>> local ABC 123<br>
>> >>> 1 0<br>
>> >>><br>
>> >>><br>
>> >>><br>
>> >>><br>
>> >>> On Wed, Dec 10, 2014 at 10:29 PM, Dermot Williams<br>
>> >>> <<a href="mailto:dermot.williams@imaginegroup.ie">dermot.williams@imaginegroup.ie</a>> wrote:<br>
>> >>>><br>
>> >>>> Hi list,<br>
>> >>>><br>
>> >>>> I have some subscribers coming in over PPPoE, some of whom I need to<br>
>> >>>> forward over an L2TP tunnel to an LNS on another provider's network.<br>
>> >>>> These<br>
>> >>>> subscribers are identified by their realm. I've got a context<br>
>> >>>> configured for<br>
>> >>>> this realm/domain - it's basically the same as the config outlined<br>
>> >>>> here:<br>
>> >>>><br>
>> >>>> <a href="https://puck.nether.net/pipermail/redback-nsp/2013-September/001576.html" target="_blank">https://puck.nether.net/pipermail/redback-nsp/2013-September/001576.html</a><br>
>> >>>><br>
>> >>>> The problem I have is that when my test subscriber's PPPoE session<br>
>> >>>> comes<br>
>> >>>> into the local context, the Redback tries to authenticate against my<br>
>> >>>> RADIUS<br>
>> >>>> servers (which fails, obviously) instead of binding the subscriber to<br>
>> >>>> the<br>
>> >>>> context that I've defined for that domain.<br>
>> >>>><br>
>> >>>> Is there something that I need to configure in the local context to<br>
>> >>>> make<br>
>> >>>> it bind sessions for these subscribers to the correct context?<br>
>> >>>><br>
>> ><br>
>> > --<br>
>> > Best regards,<br>
>> > Yury.<br>
>> ><br>
>> > _______________________________________________<br>
>> > redback-nsp mailing list<br>
>> > <a href="mailto:redback-nsp@puck.nether.net">redback-nsp@puck.nether.net</a><br>
>> > <a href="https://puck.nether.net/mailman/listinfo/redback-nsp" target="_blank">https://puck.nether.net/mailman/listinfo/redback-nsp</a><br>
>> ><br>
>><br>
>> --<br>
>> This message has been scanned for viruses and<br>
>> dangerous content by MailScanner, and is<br>
>> believed to be clean.<br>
>><br>
><br>
<br>
--<br>
This message has been scanned for viruses and<br>
dangerous content by MailScanner, and is<br>
believed to be clean.<br>
<br>
</div></div></blockquote></div><br></div>