Configuring Tunnel Subscriber Authentication - Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 Configuration Manual
For e series broadband services routers - broadband access configuration
Hide thumbs
Also See for JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010:
- Configuration manual (712 pages)
Table of Contents
Advertisement
JUNOSe 11.0.x Broadband Access Configuration Guide
This example uses the virtual-router keyword with a named virtual router. The
Example 7
include-defaults keyword shows the default configuration, including the line showing
that there is no named local user database selected.
host1# show configuration category aaa local-authentication virtual-router cleveland include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004
! Copyright (c) 1999-2004 Juniper Networks, Inc.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:
This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router cleveland
no aaa local select
Configuring Tunnel Subscriber Authentication
When a AAA domain map includes any tunnel configuration, users in this domain
are considered to be tunnel subscribers. By default, any such subscriber is granted
access without being authenticated by the authentication server. Access is granted
even when the user provides an invalid username and password. The tunnel
configuration for the subscriber comes from the AAA domain map.
For example, if the authentication protocol for a AAA domain map is RADIUS, AAA
grants access to subscribers from this domain immediately without sending access
requests to the configured RADIUS server. Because of this behavior, these subscribers
cannot get any additional control attributes from the authentication server. This
reduces your ability to manage the tunnel subscribers.
In this default situation, if you want the domain subscribers to be managed by the
authentication server for any control attribute, then that domain map cannot have
any tunnel configuration. Typically, this means you must configure the subscriber
individually.
You can use the tunnel-subscriber authentication command to get around this
limitation. When you enable authentication with this command, access requests for
the tunnel subscribers in the domain are sent to the configured authentication server.
When the access replies from authentication server are processed, various user
attributes from the server can be applied to the subscribers.
When the authentication server returns tunnel attributes, these returned values take
precedence over the corresponding local tunnel configuration values in the AAA
domain map. If the server does not return any tunnel attributes, then the tunnel
subscriber's tunnel settings are configured according to the domain map's tunnel
settings.
If the authentication server returns a redirect VSA and the corresponding AAA domain
map has local tunnel configurations, the VSA is ignored. Access is denied to the user
when the authentication server rejects the access request.
50
Configuring Tunnel Subscriber Authentication
18:31)
All rights reserved.
Advertisement
Table of Contents
Troubleshooting
