<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
I'm currently looking into a setup on a Redback SE1200 in which
subscribers should be moved into separate contexts, depending on the
value of the Context radius attribute.<br>
The situation is like this:<br>
* Customer A and B should both have dedicated contexts in which
subscribers should be terminated.<br>
* There's a bunch of vlans in which PPP subscriber traffic is
delivered.<br>
* There's another bunch of vlans in which DHCP subscriber traffic is
delivered.<br>
<br>
The PPP configuration doesn't exist yet, but the DHCP configuration
does. DHCP subscribers are already<br>
bound to a dedicated context (through service clips dhcp context ctx
in dot1q pvc on-demand vlan X to Y), and that should not change.
Also, every<br>
non-global context should have it's own radius server configuration
to authenticate users against.<br>
<br>
So as I said there are vlans in which PPP subscriber traffic is
delivered. I radius it is known which context a user should be
routed to<br>
based on the information in the PADI tag (which I assume is included
in the authentication request). <br>
I know it is possible to configure global radius aaa through 'aaa
global authentication subscriber radius context local'. My questions
are:<br>
1. When enabling global aaa authentication, will this authenticate
the DHCP subscribers as well (as in all subscribers in all vlans),
even though they are explicitely bound to a context?<br>
2. Is it possible to globally authenticate PPP users, and delegate
additional authentication to an aaa configuration in the context
where the user will be bound to?<br>
(so basically that means the router should authenticate a user
twice, first one in the local context, second one in the bound
context)<br>
<br>
Thanks.<br>
<br>
<pre class="moz-signature" cols="72">--
Johan Mulder
Cambrium BV</pre>
</body>
</html>