Mapping a User Domain Name to a Virtual Router

You can configure RADIUS authentication, accounting, and local address pools for a specific virtual router and then map a user domain to that virtual router.

The router keeps track of the mapping between domain names and virtual-routers. Use the aaa domain-map command to map a user domain to a virtual router.

Note: This domain name is not the NT domain sometimes found on the Dialup Networking dialog box.

When the router is configured to require authentication of a PPP user, the router checks for the appropriate user domain-name-to-virtual-router mapping. If it finds a match, the router sends a RADIUS authentication request to the RADIUS server configured for the specific virtual router.

Mapping User Requests Without a Valid Domain Name

You can create a mapping between a domain name called default and a specific virtual router so that the router can map user names that contain a domain name that does not have an explicit map.

If a user request is submitted with a domain name for which the router cannot find a match, the router looks for a mapping between the domain name default and a virtual router. If a match is found, the user’s request is processed according to the RADIUS server configured for the named virtual router. If no entry is found that maps default to a specific virtual router, the router sends the request to the RADIUS server configured on the default virtual router.

Mapping User Requests Without a Configured Domain Name

You can map a domain name called none to a specific virtual router so that the router can map user names that do not contain a domain name.

If a user request is submitted without a domain name, the router looks for a mapping between the domain name none and a virtual router. If a match is found, the user’s request is processed according to the RADIUS server configured for the named virtual router. If the router does not find the domain name none, it checks for the domain name default. If no matching entries are found, the router sends the request to the server configured on the default virtual router.

Using DNIS

The E Series router supports dialed number identification service (DNIS). With DNIS, if users have a called number associated with them, the router searches the domain map for the called number. If it finds a match, the router uses the matching domain map entry information to authenticate the user. If the router does not find a match, it searches the domain map using normal processing.

Note: For DNIS to work, the router must be acting as the LNS. Also, the phone number configured in the aaa domain-map command must be an exact match to the value passed by L2TP in the called number AVP (AVP 21).

For example, as specified in the following sequence, a user calling 9785551212 would be terminated in vrouter_88, while a user calling 8005554433 is terminated in vrouter_100.

host1(config)#aaa domain-map 9785551212 vrouter_88 host1(config)#aaa domain-map 8005554433 vrouter_100

Redirected Authentication

Redirected authentication provides a way to offload AAA activity on the router, by providing the domain-mapping-like feature remotely on the RADIUS server. Redirected authentication works as follows:

The router sends an authentication request (in the form of a RADIUS access-request message) to the RADIUS server that is configured in the default VR.
The RADIUS server determines the user’s AAA VR context and returns this information in a RADIUS response message to the router.
The router then behaves in similar fashion as if it had received the VR context from the local domain map.

To maintain local control, the only VR allowed to redirect authentication is the default VR. Also, to prevent loopbacks, the redirection may occur only once to a non-default VR.

To maintain flexibility, the redirection response may include idle time or session attributes that are considered as default unless the redirected authentication server overrides them. For example, if the RADIUS server returns the VR context along with an idle timeout attribute with the value set to 20 minutes, the router uses this idle timeout value unless the RADIUS server configured in the VR context returns a different value.

Since the router supports the RADIUS User-Name attribute [1] in the RADIUS response message, the default VR RADIUS server may override the user’s name (this can be a stripped name or an entirely different name). Overriding is useful for the case when the user enters a login name containing a domain name that is significant only to the RADIUS server in the default VR.

IP Hinting

You can allocate an address before authentication of PPP sessions. This address is included in the Access-Request sent to the authentication server as an IP address hint.

aaa domain-map

Use to map a user domain name to a virtual router or a loopback interface.
When you specify only the domain name, the command sets the mode to Domain Map Configuration.
Example
host1(config)#aaa domain-map juniper.net vrouter_1 host1(config)#aaa domain-map none vrouter_all_purpose host1(config)#aaa domain-map default vrouter_all_purpose host1(config)#aaa domain-map 8005558934 vrouter_78 host1(config)#aaa domain-map westford.com host1(config-domain-map)#
Use the no version to delete the map entry.
See aaa domain-map

auth-router-name

Use to assign an access virtual router to a domain map.
AAA domain map support for IPv4 enables you to provide additional virtual router assignment capabilities for IPv4 subscribers. If you assign a value other than default to a layer 2 virtual router, then the access, IPv4, and IPv6 virtual routers are all assigned the same value, which cannot be changed. If you use RADIUS redirect to assign virtual routers, you can assign access, IPv4, and IPv6 to the redirection target.
Example
host1(config)#aaa domain-map xyz.com host1(config-domain-map)#auth-router-name accessvr
Use the no version to restore the default router.
See auth-router-name

ip-hint

Use to preallocate an IP address for the remote B-RAS user before authenticating the remote user.
The address is passed as a hint in the authentication request.
Example
host1(config-domain-map)#ip-hint enable
Use the no version to disable the feature.
See ip-hint

ip-router-name

Use to assign an IPv4 virtual router to a domain map.
AAA domain map support for IPv4 enables you to provide additional virtual router assignment capabilities for IPv4 subscribers. If you assign a value other than default to a layer 2 virtual router, then the access, IPv4, and IPv6 virtual routers are all assigned the same value, which cannot be changed. If you use RADIUS redirect to assign virtual routers, you can assign access, IPv4, and IPv6 to the redirection target.
Example
host1(config)#aaa domain-map xyz.com host1(config-domain-map)#ip-router-name ipv4vr
Use the no version to restore the default router.
See ip-router-name

ipv6-local-interface

Use to map a user domain name to an IP version 6 (IPv6) loopback interface.
The local interface identifies the interface information to use on the local (E Series) side of the subscriber’s interface.
Example
host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-local-interface 2001:db8::8000
Use the no version to delete the entry.
See ipv6-local-interface

ipv6-router-name

Use to map a user domain name to an IPv6 virtual router in Domain Map Configuration mode.
Example
host1(config)#aaa domain-map westford.com host1(config-domain-map)#ipv6-router-name vroutv6
Use the no version to delete the entry.
See ipv6-router-name

local-interface

Use to map a user domain name to a loopback interface.
The local interface identifies the interface information to use on the local (E Series) side of the subscriber’s interface.
Example
host1(config)#aaa domain-map westford.com host1(config-domain-map)#local-interface 10.10.5.30
Use the no version to delete the entry.
See local-interface

router-name

Use to map a user domain name to a virtual router.
Example
host1(config)#aaa domain-map westford.com host1(config-domain-map)#router-name vrout
Use the no version to delete the entry.
See router-name