<div dir="ltr">Tomas,<div><br></div><div>You are a font of knowledge - many thanks for the pointers, I will test them over the next days.</div><div><br></div><div>Regards,</div><div><br></div><div>Dermot</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">IP Engineering Manager<br>Imagine Communications Group Ltd.<br></div></div></div>
<br><div class="gmail_quote">On 11 December 2014 at 21:46, Tomas Lynch <span dir="ltr"><<a href="mailto:tomas.lynch@gmail.com" target="_blank">tomas.lynch@gmail.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Then use "aaa last-resort context local" for those without domain or<br>
with unknown domain.<br>
<br>
On Thu, Dec 11, 2014 at 4:14 PM, Dermot Williams<br>
<div class="HOEnZb"><div class="h5"><<a href="mailto:dermot.williams@imaginegroup.ie">dermot.williams@imaginegroup.ie</a>> wrote:<br>
> That's going to cause a bit of a headache for me since we aren't using<br>
> domains for some of our subscribers. Might have to go back to the drawing<br>
> board on this one!<br>
><br>
> Thanks,<br>
><br>
> Dermot<br>
><br>
> IP Engineering Manager<br>
> Imagine Communications Group Ltd.<br>
><br>
> On 11 December 2014 at 20:01, Tomas Lynch <<a href="mailto:tomas.lynch@gmail.com">tomas.lynch@gmail.com</a>> wrote:<br>
>><br>
>> Dermont,<br>
>><br>
>> If you remove as is the "context local" from the binding your customer<br>
>> won't authenticate. Thus, before removing that you have to:<br>
>><br>
>> 1) collect all the domains your subscribers have, let say they are<br>
>> <a href="http://domain1.net" target="_blank">domain1.net</a>, <a href="http://domain2.net" target="_blank">domain2.net</a> and <a href="http://whatever.com" target="_blank">whatever.com</a><br>
>> 2) using the domain command, add those domains to the context local as<br>
>> follows:<br>
>> context local<br>
>> domain <a href="http://domain1.net" target="_blank">domain1.net</a><br>
>> domain <a href="http://domain2.net" target="_blank">domain2.net</a><br>
>> domain <a href="http://whatever.com" target="_blank">whatever.com</a><br>
>> 3) configure your LAC context with the domain you want to L2TP to an<br>
>> LNS following the configuration you've read from older emails<br>
>> 4) remove the "context local" keywork from the binding. To remove that<br>
>> keyword you have to rebind your port and therefore all the current<br>
>> customers using that VLAN10 will go down and they need to<br>
>> reauthenticate after you setup the bind again. the commands are<br>
>><br>
>> no bind authentication chap context local maximum 10<br>
>> bind authentication chap maximum 10<br>
>><br>
>> So please do this configuration change in a maintenance window if<br>
>> possible.<br>
>><br>
>> With that config the SE will redirect each domain to its correspondent<br>
>> context.<br>
>><br>
>> Tomás<br>
>><br>
>> On Thu, Dec 11, 2014 at 2:17 PM, Dermot Williams<br>
>> <<a href="mailto:dermot.williams@imaginegroup.ie">dermot.williams@imaginegroup.ie</a>> wrote:<br>
>> > Hi Tomas,<br>
>> ><br>
>> > This is what I have:<br>
>> ><br>
>> > dot1q pvc 10 encapsulation multi<br>
>> > circuit protocol pppoe<br>
>> > bind authentication chap context local maximum 10<br>
>> ><br>
>> > are you suggesting that I remove the context from the bind auth... line?<br>
>> > What impact will that have on my existing subscribers?<br>
>> ><br>
>> > Thanks,<br>
>> ><br>
>> > Dermot<br>
>> ><br>
>> > IP Engineering Manager<br>
>> > Imagine Communications Group Ltd.<br>
>> ><br>
>> > On 11 December 2014 at 16:50, Tomas Lynch <<a href="mailto:tomas.lynch@gmail.com">tomas.lynch@gmail.com</a>> wrote:<br>
>> >><br>
>> >> Dermont,<br>
>> >><br>
>> >> Verify your port/vlan configuration, if you have the binding pointing<br>
>> >> to context local then all the subscribers independent of the realm<br>
>> >> will try to authenticate in context local.<br>
>> >><br>
>> >> You should have something like the following (please do not copy and<br>
>> >> paste since some commands maybe wrong):<br>
>> >><br>
>> >><br>
>> >> context local<br>
>> >> domain domain1<br>
>> >> domain domain2<br>
>> >> !whatever you have here for example<br>
>> >> aaa authentication subscribers radius<br>
>> >> radius server 3.3.3.3 key djsjsi98d9id<br>
>> >><br>
>> >> interface pppoesubscribers multibind<br>
>> >> ip address <a href="http://10.0.0.1/24" target="_blank">10.0.0.1/24</a><br>
>> >> ip pool <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a><br>
>> >><br>
>> >> subscribers default<br>
>> >> ip pool<br>
>> >> !<br>
>> >> !<br>
>> >> context customers-lac<br>
>> >> aaa authentication subscribers none<br>
>> >> l2tp peer name LNS-the-other-side media udp remote 1.1.1.1 local<br>
>> >> 2.2.2.2<br>
>> >> domain nameoftheLNSdomain<br>
>> >> !<br>
>> >> subscriber default<br>
>> >> tunnel-domain<br>
>> >> !<br>
>> >> !end of context<br>
>> >> port ethernet 1/2<br>
>> >> encap dot1q<br>
>> >> dot1q pvc 100 encap pppoe<br>
>> >> bind authentication pap chap<br>
>> >> !endofconfig<br>
>> >><br>
>> >> The trick then is in the binding without context if you have a<br>
>> >> customer user@domain1 is going to authenticate against 3.3.3.3 in<br>
>> >> context local; a user@nameoftheLNSdomain is going to pppoe against<br>
>> >> your lac and the ppp to the lns.<br>
>> >><br>
>> >> Tomas Lynch<br>
>> >><br>
>> >><br>
>> >><br>
>> >><br>
>> >> On Wed, Dec 10, 2014 at 11:12 PM, Yury Shefer <<a href="mailto:shefys@gmail.com">shefys@gmail.com</a>> wrote:<br>
>> >> > Hello,<br>
>> >> ><br>
>> >> > May I ask you to share yours access port/dot1q pvc/circuit<br>
>> >> > configuration?<br>
>> >> ><br>
>> >> > On Wed, Dec 10, 2014 at 4:07 PM, Dermot Williams<br>
>> >> > <<a href="mailto:dermot.williams@imaginegroup.ie">dermot.williams@imaginegroup.ie</a>> wrote:<br>
>> >> >><br>
>> >> >> Hi Soe,<br>
>> >> >><br>
>> >> >> Not at present but I'm not expecting it to come up until I have my<br>
>> >> >> subscribers going into the right context.<br>
>> >> >><br>
>> >> >> Regards,<br>
>> >> >><br>
>> >> >> Dermot<br>
>> >> >><br>
>> >> >> IP Engineering Manager<br>
>> >> >> Imagine Communications Group Ltd.<br>
>> >> >><br>
>> >> >> On 10 December 2014 at 16:31, Soe Prapti <<a href="mailto:prapti.soe@gmail.com">prapti.soe@gmail.com</a>><br>
>> >> >> wrote:<br>
>> >> >>><br>
>> >> >>> Hi William,<br>
>> >> >>><br>
>> >> >>> Is your tunnel established ? example like this :<br>
>> >> >>><br>
>> >> >>> show l2tp summary<br>
>> >> >>><br>
>> >> >>> Context Name Peer Name Local Name<br>
>> >> >>> Count<br>
>> >> >>> Count<br>
>> >> >>> -------------------- -------------------- --------------------<br>
>> >> >>> -----<br>
>> >> >>> -----<br>
>> >> >>> local ABC 123<br>
>> >> >>> 1 0<br>
>> >> >>><br>
>> >> >>><br>
>> >> >>><br>
>> >> >>><br>
>> >> >>> On Wed, Dec 10, 2014 at 10:29 PM, Dermot Williams<br>
>> >> >>> <<a href="mailto:dermot.williams@imaginegroup.ie">dermot.williams@imaginegroup.ie</a>> wrote:<br>
>> >> >>>><br>
>> >> >>>> Hi list,<br>
>> >> >>>><br>
>> >> >>>> I have some subscribers coming in over PPPoE, some of whom I need<br>
>> >> >>>> to<br>
>> >> >>>> forward over an L2TP tunnel to an LNS on another provider's<br>
>> >> >>>> network.<br>
>> >> >>>> These<br>
>> >> >>>> subscribers are identified by their realm. I've got a context<br>
>> >> >>>> configured for<br>
>> >> >>>> this realm/domain - it's basically the same as the config outlined<br>
>> >> >>>> here:<br>
>> >> >>>><br>
>> >> >>>><br>
>> >> >>>> <a href="https://puck.nether.net/pipermail/redback-nsp/2013-September/001576.html" target="_blank">https://puck.nether.net/pipermail/redback-nsp/2013-September/001576.html</a><br>
>> >> >>>><br>
>> >> >>>> The problem I have is that when my test subscriber's PPPoE session<br>
>> >> >>>> comes<br>
>> >> >>>> into the local context, the Redback tries to authenticate against<br>
>> >> >>>> my<br>
>> >> >>>> RADIUS<br>
>> >> >>>> servers (which fails, obviously) instead of binding the subscriber<br>
>> >> >>>> to<br>
>> >> >>>> the<br>
>> >> >>>> context that I've defined for that domain.<br>
>> >> >>>><br>
>> >> >>>> Is there something that I need to configure in the local context<br>
>> >> >>>> to<br>
>> >> >>>> make<br>
>> >> >>>> it bind sessions for these subscribers to the correct context?<br>
>> >> >>>><br>
>> >> ><br>
>> >> > --<br>
>> >> > Best regards,<br>
>> >> > Yury.<br>
>> >> ><br>
>> >> > _______________________________________________<br>
>> >> > redback-nsp mailing list<br>
>> >> > <a href="mailto:redback-nsp@puck.nether.net">redback-nsp@puck.nether.net</a><br>
>> >> > <a href="https://puck.nether.net/mailman/listinfo/redback-nsp" target="_blank">https://puck.nether.net/mailman/listinfo/redback-nsp</a><br>
>> >> ><br>
>> >><br>
>> >> --<br>
>> >> This message has been scanned for viruses and<br>
>> >> dangerous content by MailScanner, and is<br>
>> >> believed to be clean.<br>
>> >><br>
>> ><br>
>><br>
>> --<br>
>> This message has been scanned for viruses and<br>
>> dangerous content by MailScanner, and is<br>
>> believed to be clean.<br>
>><br>
><br>
<br>
--<br>
This message has been scanned for viruses and<br>
dangerous content by MailScanner, and is<br>
believed to be clean.<br>
<br>
</div></div></blockquote></div></div>