Cisco Cisco ASR 5500 Administrator's Guide
AAA Interface Configuration
Configuring the Destination Context Attribute ▀
Cisco ASR 5x00 AAA Interface Administration and Reference ▄
37
Configuring the Destination Context Attribute
Once a user has been authenticated, a AAA attribute is returned in the access-accept message that contains the name of
the destination context where the subscriber will egress from. For RADIUS-based subscribers, this is the SN-VPN-
NAME attribute, or SN1-VPN-NAME attribute in some RADIUS dictionaries.
the destination context where the subscriber will egress from. For RADIUS-based subscribers, this is the SN-VPN-
NAME attribute, or SN1-VPN-NAME attribute in some RADIUS dictionaries.
Note that when performing RADIUS authentication and authorization, RADIUS attributes returned by the RADIUS
server always take precedence over the default subscriber configuration.
server always take precedence over the default subscriber configuration.
Important:
Note that when RADIUS servers are not configured in the selected AAA group, the servers in the
default group will be considered for destination context selection. If there are no servers in the default group, then the
call will be dropped.
call will be dropped.
The system supports configuring subscriber profiles locally within a context though subscriber templates or on a
RADIUS server. Subscribers configured on the system are configured within the contexts they were created. In the
Understanding the System Operation and Configuration chapter of the System Administration Guide, the role of
subscriber default, which is automatically configured for each context, and realm-based subscriber templates, which
serves as a default subscriber template for users whose domain portion of their user name matches a domain alias within
a context, was discussed. The role of these special subscriber templates is to provide a set of default attributes that may
be used to populate any missing values for an authenticated RADIUS-based subscriber. The parameter that would
contain this attribute value is called the IP context-name.
RADIUS server. Subscribers configured on the system are configured within the contexts they were created. In the
Understanding the System Operation and Configuration chapter of the System Administration Guide, the role of
subscriber default, which is automatically configured for each context, and realm-based subscriber templates, which
serves as a default subscriber template for users whose domain portion of their user name matches a domain alias within
a context, was discussed. The role of these special subscriber templates is to provide a set of default attributes that may
be used to populate any missing values for an authenticated RADIUS-based subscriber. The parameter that would
contain this attribute value is called the IP context-name.
Further, it was explained that these attributes must be configured manually for both the subscriber default and any
realm-based subscriber template created.
realm-based subscriber template created.
One of the rules that must be configured is a parameter that allows subscriber data traffic to be routed between source
and destination contexts. Use the following example configuration to configure that rule.
and destination contexts. Use the following example configuration to configure that rule.
Important:
Commands used in the configuration example in this section provide base functionality to the extent
that the most common or likely commands and/or keyword options are presented. In many cases, other optional
commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete
information regarding all commands.
commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete
information regarding all commands.
configure
context <context_name>
subscriber name default
ip context-name <destination_context_name>
end
Notes:
<context_name>
must be the name of the system source context designated for Default subscriber
configuration.
<destination_context_name>
must be the name of the destination context configured on the system
containing the interfaces through which session traffic is routed.