Filter
Top Products
6-2
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
OL-4387-02
Chapter6 Service Connection
SSG AutoDomain
You can configure SSG AutoDomain in basic or extended mode. In basic mode, the AutoDomain profile
downloaded from the AAA server is a service profile. This service profile is a proxy or VPDN service.
If the AutoDomain service profile is a proxy service, SSG authenticates the user to the appropriate
domain AAA server with the authentication information found in the Access-Request received from the
RADIUS client. If the downloaded AutoDomain service profile is a tunnel service, a PPP session is
regenerated into an L2TP tunnel for the selected service. If the returned SSG-specific attributes do not
indicate the type of service required, SSG treats this service as a VPDN service.
In extended AutoDomain mode, the downloaded profile is a “virtual user” profile that contains one
autoservice to an authenticated service such as a proxy or VPDN. The host object is not activated until
the user is authenticated at the proxy or VPDN service. If the “virtual user” profile does not have exactly
one autoservice or the autoservice is not authenticated, the AutoDomain login is rejected.
If you configure basic SSG AutoDomain with a nonauthenticated service type (for example,
passthrough), SSG rejects the login request because AutoDomain bypasses user authentication at the
local AAA server and requires that authentication be performed elsewhere.
For more information, refer to the SSG AutoDomain, Release 12.2(4)B feature module.
Restrictions for SSG AutoDomain
SSG AutoDomain has the following restrictions:
• Restricted DHCP support—DHCP requests for IP address assignment must be done before RADIUS
negotiation.
• Passthrough services—Because local authentication at the network access server (NAS) is bypassed,
AutoDomain is available only for services that perform authentication (for example, proxy or
VPDN services).
• “Virtual-user” profiles can contain only one AutoLogon service.
• If an Access-Request does not contain an IP address, you must configure a local per-domain or
global IP address pool.
Configuration of SSG AutoDomain
To enable SSG AutoDomain and enter SSG autodomain configuration mode, use the ssg auto-domain
command in global configuration mode. To verify the configuration, use the show running-config
command in privileged EXEC mode.
For more information, refer to the SSG AutoDomain, Release 12.2(4)B feature module.
Configuration Example for SSG AutoDomain
Example 6-1 shows a sample configuration for SSG AutoDomain. In the example, AutoDomain is
configured for extended-mode, and the called-station-id(APN) is used to select the AutoDomain service.
If the service assigns an IP address, then SSG performs Network Address Translation (NAT) on the
connection.
The example creates an AutoDomain exclude list by downloading the profile
“ssg-auto-domain-exclude-profile” from the AAA server (the download password is “cisco”). The
configuration also includes two exclude entries: cisco (exclude APN), and motorola (exclude domain name).