Table of Contents
Advertisement
Allowing or Denying Domain Names
Copyright © 2010, Juniper Networks, Inc.
NOTE: There are two domain names with special meaning. The domain name none
indicates that there is no domain name present in the subscriber's name. For more
information about none, see the section "Mapping User Requests Without a Valid
Domain Name" on page 8. The domain name default indicates that no other match
occurs. For more information about default, see the section "Mapping User Requests
Without a Configured Domain Name" on page 9.
You can control a PPP subscriber's access to certain domains on given interfaces. As the
administrator, you can use the deny command to prevent PPP subscribers from using
unauthorized domain names. Using the allow command, you can allow PPP subscribers
to use authorized domain names.
Configuration Example
In this example, the administrator wants to restrict access of a PPP interface to the
specific domain abc.com.
Create an AAA profile.
1.
host1(config)#aaa profile restrictToABC
Specify the domain name you want to allow.
2.
host1(config-aaa-profile)#allow abc.com
Specify the domain name you want to restrict.
3.
host1(config-aaa-profile)#deny default
Associate the AAA profile to the designated PPP interface.
4.
host1(config-if)#ppp aaa-profile restrictToABC
When configured as such, the following is a likely scenario:
PPP passes the AAA profile restrictToABC to AAA in the authentication request.
AAA performs the following:
Receives the authentication request from PPP with the subscriber's name
will@xyz.com.
Parses the domain name xyz.com and examines the specified AAA profile
restrictToABC.
Determines that the AAA profile restrictToABC is valid.
Searches restrictToABC for a match on the PPP subscriber's domain name and
finds no match.
Searches restrictToABC for a match on the domain name default.
Finds a match and denies the user access.
Chapter 1: Configuring Remote Access
61
Advertisement
Table of Contents
Troubleshooting
