Mapping User Requests Without A Configured Domain Name; Using Dnis; Redirected Authentication - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12 Configuration Manual
Software for e series broadband services routers broadband access configuration guide
Hide thumbs
Also See for JUNOSE SOFTWARE FOR E SERIES 11.3.X - BROADBAND ACCESS CONFIGURATION GUIDE 2010-10-12:
- Configuration manual (750 pages)
Table of Contents
Advertisement
Mapping User Requests Without a Configured Domain Name
Using DNIS
Redirected Authentication
Copyright © 2010, Juniper Networks, Inc.
You can map a domain name called none to a specific virtual router so that the router
can map user names that do not contain a domain name.
If a user request is submitted without a domain name, the router looks for a mapping
between the domain name none and a virtual router. If a match is found, the user's request
is processed according to the RADIUS server configured for the named virtual router. If
the router does not find the domain name none, it checks for the domain name default.
If no matching entries are found, the router sends the request to the server configured
on the default virtual router.
The E Series router supports dialed number identification service (DNIS). With DNIS, if
users have a called number associated with them, the router searches the domain map
for the called number. If it finds a match, the router uses the matching domain map entry
information to authenticate the user. If the router does not find a match, it searches the
domain map using normal processing.
NOTE: For DNIS to work, the router must be acting as the LNS. Also, the
phone number configured in the aaa domain-map command must be an
exact match to the value passed by L2TP in the called number AVP (AVP
21).
For example, as specified in the following sequence, a user calling 9785551212 would be
terminated in vrouter_88, while a user calling 8005554433 is terminated in vrouter_100.
host1(config)#aaa domain-map 9785551212 vrouter_88
host1(config)#aaa domain-map 8005554433 vrouter_100
Redirected authentication provides a way to offload AAA activity on the router, by
providing the domain-mapping-like feature remotely on the RADIUS server. Redirected
authentication works as follows:
The router sends an authentication request (in the form of a RADIUS access-request
1.
message) to the RADIUS server that is configured in the default VR.
The RADIUS server determines the user's AAA VR context and returns this information
2.
in a RADIUS response message to the router.
The router then behaves in similar fashion as if it had received the VR context from
3.
the local domain map.
To maintain local control, the only VR allowed to redirect authentication is the default
VR. Also, to prevent loopbacks, the redirection may occur only once to a non-default VR.
To maintain flexibility, the redirection response may include idle time or session attributes
that are considered as default unless the redirected authentication server overrides them.
Chapter 1: Configuring Remote Access
9
Advertisement
Table of Contents
Troubleshooting
