Table of Contents
Advertisement
JunosE 11.2.x Broadband Access Configuration Guide
Example 7
host1# show configuration category aaa local-authentication virtual-router cleveland include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004
! Copyright (c) 1999-2004 Juniper Networks, Inc.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE:
This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router cleveland
no aaa local select
Configuring Tunnel Subscriber Authentication
48
This example uses the virtual-router keyword with a named virtual router. The
include-defaults keyword shows the default configuration, including the line showing
that there is no named local user database selected.
18:31)
When a AAA domain map includes any tunnel configuration, users in this domain are
considered to be tunnel subscribers. By default, any such subscriber is granted access
without being authenticated by the authentication server. Access is granted even when
the user provides an invalid username and password. The tunnel configuration for the
subscriber comes from the AAA domain map.
For example, if the authentication protocol for a AAA domain map is RADIUS, AAA grants
access to subscribers from this domain immediately without sending access requests
to the configured RADIUS server. Because of this behavior, these subscribers cannot get
any additional control attributes from the authentication server. This reduces your ability
to manage the tunnel subscribers.
In this default situation, if you want the domain subscribers to be managed by the
authentication server for any control attribute, then that domain map cannot have any
tunnel configuration. Typically, this means you must configure the subscriber individually.
You can use the tunnel-subscriber authentication command to get around this limitation.
When you enable authentication with this command, access requests for the tunnel
subscribers in the domain are sent to the configured authentication server. When the
access replies from authentication server are processed, various user attributes from the
server can be applied to the subscribers.
When the authentication server returns tunnel attributes, these returned values take
precedence over the corresponding local tunnel configuration values in the AAA domain
map. If the server does not return any tunnel attributes, then the tunnel subscriber's
tunnel settings are configured according to the domain map's tunnel settings.
If the authentication server returns a redirect VSA and the corresponding AAA domain
map has local tunnel configurations, the VSA is ignored. Access is denied to the user
when the authentication server rejects the access request.
The tunnel-subscriber authentication command has no effect on subscribers in a domain
with no tunnel configuration. When a AAA domain map has no tunnel configuration,
All rights reserved.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Troubleshooting
