Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASR 9k BNG - Selective Domain Stripping

hi friends,

I have a particular requirement in which i am recieving PPPoE Subscribers on ASR 9010 running 4.2.  I am recieving Subscribers Sessions in three formants

1)  username@abc.com

2) username@xyx.com

3) username1

Is it possible that  i let  username@abc.com go through radius authentication as it is, however for users with username@xyz.com , their domain should be stripped and only username is sent to the radius??

can some one share a template of configuration?? i saw in documentation that there a way to define aaa attribute format, but i couldn't understand how to apply it to the users?

Also what will be the Impact if i enable VPDN for L2TP LAC on the same router?

anyone please?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASR 9k BNG - Selective Domain Stripping

yup that can be done, here an example

!!!Define how the username is to be stripped in a format directive, one saves the domain, the other one the username.

aaa attribute format domain_strip

username-strip suffix-delimiter @

aaa attribute format domain_strip-2

username-strip prefix-delimiter @

!!!Define in a class map the domain to trigger on, in this case domain abc.com that is using the strip directive defined earlier

class-map type control subscriber match-any DOMAIN_ABC

match domain abc.com format domain_strip

end-class-map

!

!define a class for all the other users

class-map type control subscriber match-any EVERYONE

match protocol ppp

Next in the control policy leverage this newly defined class for username abc.com's:

policy-map type control subscriber CPMAP

event session-activate

class DOMAIN_ABC

10 authenticate aaa list default

class EVERYONE

10 authorize aaa list default format domain_strip-2 password use-from-line

now domain_abc will send its original username out, all the other ones will have their username stripped omitting the domain and send their password received from chap.

regards

xander

Xander Thuijs CCIE #6775
Principal Engineer 
ASR9000, CRS, NCS6000 & IOS-XR

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
1 REPLY
Cisco Employee

ASR 9k BNG - Selective Domain Stripping

yup that can be done, here an example

!!!Define how the username is to be stripped in a format directive, one saves the domain, the other one the username.

aaa attribute format domain_strip

username-strip suffix-delimiter @

aaa attribute format domain_strip-2

username-strip prefix-delimiter @

!!!Define in a class map the domain to trigger on, in this case domain abc.com that is using the strip directive defined earlier

class-map type control subscriber match-any DOMAIN_ABC

match domain abc.com format domain_strip

end-class-map

!

!define a class for all the other users

class-map type control subscriber match-any EVERYONE

match protocol ppp

Next in the control policy leverage this newly defined class for username abc.com's:

policy-map type control subscriber CPMAP

event session-activate

class DOMAIN_ABC

10 authenticate aaa list default

class EVERYONE

10 authorize aaa list default format domain_strip-2 password use-from-line

now domain_abc will send its original username out, all the other ones will have their username stripped omitting the domain and send their password received from chap.

regards

xander

Xander Thuijs CCIE #6775
Principal Engineer 
ASR9000, CRS, NCS6000 & IOS-XR

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
261
Views
0
Helpful
1
Replies