Chapter 6 Service Connection

SSG AutoDomain

You can configure SSG AutoDomain in basic or extended mode. In basic mode, the AutoDomain profile downloaded from the AAA server is a service profile. This service profile is a proxy or VPDN service. If the AutoDomain service profile is a proxy service, SSG authenticates the user to the appropriate domain AAA server with the authentication information found in the Access-Request received from the RADIUS client. If the downloaded AutoDomain service profile is a tunnel service, a PPP session is regenerated into an L2TP tunnel for the selected service. If the returned SSG-specific attributes do not indicate the type of service required, SSG treats this service as a VPDN service.

In extended AutoDomain mode, the downloaded profile is a “virtual user” profile that contains one autoservice to an authenticated service such as a proxy or VPDN. The host object is not activated until the user is authenticated at the proxy or VPDN service. If the “virtual user” profile does not have exactly one autoservice or the autoservice is not authenticated, the AutoDomain login is rejected.

If you configure basic SSG AutoDomain with a nonauthenticated service type (for example, passthrough), SSG rejects the login request because AutoDomain bypasses user authentication at the local AAA server and requires that authentication be performed elsewhere.

For more information, refer to the SSG AutoDomain, Release 12.2(4)B feature module.

Restrictions for SSG AutoDomain

SSG AutoDomain has the following restrictions:

Restricted DHCP support—DHCP requests for IP address assignment must be done before RADIUS negotiation.

Passthrough services—Because local authentication at the network access server (NAS) is bypassed, AutoDomain is available only for services that perform authentication (for example, proxy or VPDN services).

“Virtual-user” profiles can contain only one AutoLogon service.

If an Access-Request does not contain an IP address, you must configure a local per-domain or global IP address pool.

Configuration of SSG AutoDomain

To enable SSG AutoDomain and enter SSG autodomain configuration mode, use the ssg auto-domaincommand in global configuration mode. To verify the configuration, use the show running-configcommand in privileged EXEC mode.

For more information, refer to the SSG AutoDomain, Release 12.2(4)B feature module.

Configuration Example for SSG AutoDomain

Example 6-1shows a sample configuration for SSG AutoDomain. In the example, AutoDomain is configured for extended-mode, and the called-station-id(APN) is used to select the AutoDomain service. If the service assigns an IP address, then SSG performs Network Address Translation (NAT) on the connection.

The example creates an AutoDomain exclude list by downloading the profile “ssg-auto-domain-exclude-profile” from the AAA server (the download password is “cisco”). The configuration also includes two exclude entries: cisco (exclude APN), and motorola (exclude domain name).

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

6-2

OL-4387-02

 

 

Page 39 Page 41
Page 40
Image 40
Cisco Systems OL-4387-02 manual Restrictions for SSG AutoDomain, Configuration of SSG AutoDomain
Page 39 Page 41
Top Page Image Contents