FAQ:How does MA5200G set different CAR for different VLAN access users in the same domain?

Publication Date:  2012-07-27 Views:  83 Downloads:  0
Issue Description
MA5200G VRP3.30-2211 is used in the deployment of a site. The customer requires configuring different CAR for different VLAN users in the same domain.

Alarm Information
No 

Handling Process
To configure different VLANs in the same domain to different force domains, the relevant domains need to configure with corresponding CAR parameters. When accessing network, a user should enter user name and password, which keep consistent when reporting to RADIUS, and he could pass the authentication; at the point, the bandwidth of the user’s depends on the CAR parameter configured under relevant force domain. The customer is satisfied.

Root Cause
If MA5200G needs to configure CAR for users attached, RADIUS could help by advertising relevant attributes. However, the RADIUS at the site does not support to advertise the relevant attributes of CAR, so the functionality depends on MA5200G only. MA5200G software supports neither multiple CAR on users in the same domain nor that on VLAN. As a consequent, only force domain could help realize the functionality.

I. Generally, users enter the domain like username@domainname and password



1. In interface mode, configure the force domain tage



The user name (username@domainname) sent to radius keeps consistent, but the authentication policy uses that in authentication domain configured for interface. The users accessed belong to force authentication domain, and they could be checked by display access-user command; if it is configured, they could be processed in accordance with the roaming tag, and the user name keeps consistent;



2. Turn on the switch of roaming domain (enabled by default) in interface mode:



Resolve the roam-character of user name which is defaulted to “”; abstract the domain name before roaming character in user name for authentication;



The user name keeps consistent when sending to radius like username@domainname: roamdomain; another case is the domain name entered by the user does not exist, and the user will be authenticated in the authentication domain configured for the interface, so the user name is not changed yet when sending it to radius; if the switch of roaming is not turned on, the detection will not be performed on roaming characters, and the relevant domains will not be found, resulting in failure to access network.



3. In the interface mode, shut down the switch of roaming, without configuration of force



At this point, if the corresponding domain name is not found, it will get offline, sending CUT packet to CM;



 



Summary: If the user has entered the domain name, the priority of force is higher than that of roaming, although the user name keeps consistent;



II. The user does not enter the domain name (the default authentication domain under the interface is default1, and default pre-authentication domain is default0)



1. Non-roaming and non-force



Authenticate the user according to the policies under default authentication domain (default-domain authentication <authendomain>) the configured for the interface; additionally, the user name will be added a domain name, then sending to radius, like username@authendomain



2. Forced



Similar to Step 1



3. Roaming



By default, the default authentication domain under the interface is identical to that of roaming (default1)

Summary: in the case that no domain name is entered by a user, it is defaulted to add default1 before sending to radius, but if the interface is configured with authentication domain, its name will be the basis of analysis and it will be reported to radius.  

END