Dear friends!
I am trying to establish a L2TP tunnel between a LAC (Which is also Acting
as BRAS) and LNS (Which is also acting as BRAS).
User ---------[Cisco 3640 LAC]----- IP Cloud-------[Cisco 3845 LNS]
The problem I am facing is that the scenario is working fine as long as I am
using user account created locally on LNS. However as soon as I enable
radius parameters, LAC stops establishing tunnel with LNS and connects the
user on LAC as pppoe user. After investigation I have found that If I remove
following line from the configuration L2TP Tunnels works perfectly fine;
aaa authorization network default group radius
Can someone tell me Why its happening?? Since I am using @domain in user ids
for L2TP users, LAC should not even refer to Radius. And I need this aaa
authorization parameter since both my LAC and LNS also have PPPoE users
terminated on them.
Following is my LAC and LNS configuration after including my radius
parameteres, same configuration works fine without radius parameters.
LAC Configuration
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting session-duration ntp-adjusted
aaa accounting update periodic 15
aaa accounting network default start-stop group radius
aaa nas port extended
aaa session-id common
!
ip cef
vpdn enable
vpdn multihop
!
vpdn-group 1
request-dialin
protocol l2tp
multihop hostname DSL-LNS
domain cybernet
initiate-to ip 1.1.1.1
source-ip 2.2.2.2
local name DSL-LAC
no l2tp tunnel authentication
!
bba-group pppoe global
virtual-template 1
!
interface Serial2/1
description *** Connected to LNS ***
ip address 2.2.2.2 255.255.255.252
encapsulation ppp
interface ATM3/0.2 multipoint
pvc vpdn 0/36
encapsulation aal5snap
protocol pppoe group global
interface Virtual-Template1
ip unnumbered Serial2/1
peer default ip address pool home-dsl
ppp authentication pap
LNS Configuration
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting session-duration ntp-adjusted
aaa accounting update periodic 15
aaa session-id common
!
vpdn enable
vpdn multihop
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname DSL-LAC
local name DSL-LNS
lcp renegotiation on-mismatch
no l2tp tunnel authentication
!
interface GigabitEthernet0/1.7
description *** LAC Management ***
encapsulation dot1Q 7
ip address 1.1.1.1 255.255.255.252
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.7
peer default ip address pool PPPoE
ppp authentication pap
I am trying to establish a L2TP tunnel between a LAC (Which is also Acting
as BRAS) and LNS (Which is also acting as BRAS).
User ---------[Cisco 3640 LAC]----- IP Cloud-------[Cisco 3845 LNS]
The problem I am facing is that the scenario is working fine as long as I am
using user account created locally on LNS. However as soon as I enable
radius parameters, LAC stops establishing tunnel with LNS and connects the
user on LAC as pppoe user. After investigation I have found that If I remove
following line from the configuration L2TP Tunnels works perfectly fine;
aaa authorization network default group radius
Can someone tell me Why its happening?? Since I am using @domain in user ids
for L2TP users, LAC should not even refer to Radius. And I need this aaa
authorization parameter since both my LAC and LNS also have PPPoE users
terminated on them.
Following is my LAC and LNS configuration after including my radius
parameteres, same configuration works fine without radius parameters.
LAC Configuration
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting session-duration ntp-adjusted
aaa accounting update periodic 15
aaa accounting network default start-stop group radius
aaa nas port extended
aaa session-id common
!
ip cef
vpdn enable
vpdn multihop
!
vpdn-group 1
request-dialin
protocol l2tp
multihop hostname DSL-LNS
domain cybernet
initiate-to ip 1.1.1.1
source-ip 2.2.2.2
local name DSL-LAC
no l2tp tunnel authentication
!
bba-group pppoe global
virtual-template 1
!
interface Serial2/1
description *** Connected to LNS ***
ip address 2.2.2.2 255.255.255.252
encapsulation ppp
interface ATM3/0.2 multipoint
pvc vpdn 0/36
encapsulation aal5snap
protocol pppoe group global
interface Virtual-Template1
ip unnumbered Serial2/1
peer default ip address pool home-dsl
ppp authentication pap
LNS Configuration
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting session-duration ntp-adjusted
aaa accounting update periodic 15
aaa session-id common
!
vpdn enable
vpdn multihop
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname DSL-LAC
local name DSL-LNS
lcp renegotiation on-mismatch
no l2tp tunnel authentication
!
interface GigabitEthernet0/1.7
description *** LAC Management ***
encapsulation dot1Q 7
ip address 1.1.1.1 255.255.255.252
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.7
peer default ip address pool PPPoE
ppp authentication pap