Johan Mulder
2018-04-16 09:36:33 UTC
Hi,
I'm currently looking into a setup on a Redback SE1200 in which
subscribers should be moved into separate contexts, depending on the
value of the Context radius attribute.
The situation is like this:
* Customer A and B should both have dedicated contexts in which
subscribers should be terminated.
* There's a bunch of vlans in which PPP subscriber traffic is delivered.
* There's another bunch of vlans in which DHCP subscriber traffic is
delivered.
The PPP configuration doesn't exist yet, but the DHCP configuration
does. DHCP subscribers are already
bound to a dedicated context (through service clips dhcp context ctx in
dot1q pvc on-demand vlan X to Y), and that should not change. Also, every
non-global context should have it's own radius server configuration to
authenticate users against.
So as I said there are vlans in which PPP subscriber traffic is
delivered. I radius it is known which context a user should be routed to
based on the information in the PADI tag (which I assume is included in
the authentication request).
I know it is possible to configure global radius aaa through 'aaa global
authentication subscriber radius context local'. My questions are:
1. When enabling global aaa authentication, will this authenticate the
DHCP subscribers as well (as in all subscribers in all vlans), even
though they are explicitely bound to a context?
2. Is it possible to globally authenticate PPP users, and delegate
additional authentication to an aaa configuration in the context where
the user will be bound to?
 (so basically that means the router should authenticate a user twice,
first one in the local context, second one in the bound context)
Thanks.
I'm currently looking into a setup on a Redback SE1200 in which
subscribers should be moved into separate contexts, depending on the
value of the Context radius attribute.
The situation is like this:
* Customer A and B should both have dedicated contexts in which
subscribers should be terminated.
* There's a bunch of vlans in which PPP subscriber traffic is delivered.
* There's another bunch of vlans in which DHCP subscriber traffic is
delivered.
The PPP configuration doesn't exist yet, but the DHCP configuration
does. DHCP subscribers are already
bound to a dedicated context (through service clips dhcp context ctx in
dot1q pvc on-demand vlan X to Y), and that should not change. Also, every
non-global context should have it's own radius server configuration to
authenticate users against.
So as I said there are vlans in which PPP subscriber traffic is
delivered. I radius it is known which context a user should be routed to
based on the information in the PADI tag (which I assume is included in
the authentication request).
I know it is possible to configure global radius aaa through 'aaa global
authentication subscriber radius context local'. My questions are:
1. When enabling global aaa authentication, will this authenticate the
DHCP subscribers as well (as in all subscribers in all vlans), even
though they are explicitely bound to a context?
2. Is it possible to globally authenticate PPP users, and delegate
additional authentication to an aaa configuration in the context where
the user will be bound to?
 (so basically that means the router should authenticate a user twice,
first one in the local context, second one in the bound context)
Thanks.
--
Johan Mulder
Cambrium BV
Johan Mulder
Cambrium BV