Specifying a Single Name for Users from a Domain

Assigning a single username and a single password for all users associated with a domain provides better compatibility with some RADIUS servers. You can use this feature for domains that require the router to tunnel, but not terminate, PPP sessions.

When users request a PPP session, they specify usernames and passwords. During the negotiations for the PPP session, the router authenticates legitimate users.

Note: This feature works only for users authenticated by Password Authentication Protocol (PAP) and not by Challenge Handshake Authentication Protocol (CHAP).

If you configure this feature, the router substitutes the specified username and password for all authenticated usernames and passwords associated with that domain.

There are two options for this feature. The router can:

• Substitute the domain name for each username and one new password for each existing password.

  For example, if the domain name is xyz.com and you specify the password xyz_domain, the router associates the username xyz.com and the password xyz_domain with all users from xyz.com.

• Substitute one new username for each username and one new password for each existing password.

  For example, if the domain name is xyz.com and you specify the username xyz_group and the password xyz_domain, the router associates these identifiers with all users from xyz.com.

To use a single username and a single password for all users from a domain:

1. Access Domain Map Configuration mode using the aaa domain-map command.
2. Specify the new username and password using the override-user command.

aaa domain-map

• Use to map a domain name to a virtual router or to access Domain Map Configuration mode.
• Example

  host1(config)#aaa domain-map xyz.com

  host1(config-domain-map)#

• Use the no version to delete the map entry.
• See aaa domain-map

override-user

• Use to specify a single username and single password for all users from a domain in place of the values received from the remote client.
• Use only for domains that require the router to tunnel and not terminate PPP sessions.
• If you specify a password only, the router substitutes the domain name for the username and associates the new password with the user. If you specify a password only and you have configured the domain name none with the aaa domain-map command, the router rejects any users without domain names.
• If you specify a name and password, the router associates both the new name and password with the user.
• Example

  host1(config-domain-map)#override-user name boston password abc

• Use the no version to revert to the original username.
• See override-user

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.