Controlling Access to Domain Names

You can control a PPP subscriber’s access to certain domains on given interfaces. As the administrator, you can use the deny command to prevent PPP subscribers from using unauthorized domain names. Using the allow command, you can allow PPP subscribers to use authorized domain names.

In this example, the administrator wants to restrict access of a PPP interface to the specific domain abc.com.

1. Create an AAA profile.
   host1(config)#aaa profile restrictToABC
2. Specify the domain name you want to allow.
   host1(config-aaa-profile)#allow abc.com
3. Specify the domain name you want to restrict.
   host1(config-aaa-profile)#deny default
4. Associate the AAA profile to the designated PPP interface.
   host1(config-if)#ppp aaa-profile restrictToABC

When configured as such, the following is a likely scenario:

• PPP passes the AAA profile restrictToABC to AAA in the authentication request.
• AAA performs the following:
  • Receives the authentication request from PPP with the subscriber’s name will@xyz.com.
  • Parses the domain name xyz.com and examines the specified AAA profile restrictToABC.
  • Determines that the AAA profile restrictToABC is valid.
  • Searches restrictToABC for a match on the PPP subscriber’s domain name and finds no match.
  • Searches restrictToABC for a match on the domain name default.
  • Finds a match and denies the user access.