Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. BBA
Multiple vpdn-groups, l2tp and radius...
kiwi at oav
Feb 15, 2006, 9:27 AM
Post #1 of 2 (8682 views)
Permalink
Hello there,


I am in the process to install an LNS for ADSL L2TP tunnel ending.

I am looking forward a way to provide the right Virtual Template
provided by a Radius, with a default Virtual Template when a virtual
template is not provided by the Radius.

Here is Radius entry for user that should use a vpdn-group, but it
seems I have missed something.... ?

Also in this configuration, I need that some Virtual Template that is
inherited be exported using ISIS.... Doesn't seesm to works
anymore... :/

radtest Test2 Test2 127.0.0.1 0 <verysecret>
Sending Access-Request of id 107 to 127.0.0.1:1812
User-Name = "Test2"
User-Password = "Test2"
NAS-IP-Address = radius1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=107,
length=161
Framed-IP-Address = aaa.bbb.fa0.3
Cisco-AVPair = "vpdn:vpdn-group=vcollecte"
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1492
Framed-Routing = None
Framed-IP-Netmask = 255.255.255.255
Idle-Timeout = 3600
Ascend-Client-Primary-DNS = 1.2.3.10
Ascend-Client-Secondary-DNS = 1.2.2.11
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IP
Class = 0x123456789
Tunnel-Server-Endpoint:0 = "aaa.bbb.lo0.1"

Here is configuration of 7206 with NPE 400 :


!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname lns-1
!
boot-start-marker
boot system flash disk0:c7200-js-mz.123-17a.bin
boot-end-marker
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
!
aaa new-model
!
!
aaa group server radius ADSL
server aaa.bbb.ccc.5 auth-port 1812 acct-port 1813
server aaa.bbb.ccc.6 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp ADSL group ADSL
aaa authorization config-commands
aaa authorization exec default local
aaa authorization network ADSL group ADSL
aaa accounting delay-start
aaa accounting network ADSL start-stop group ADSL
aaa session-id common
ip subnet-zero
no ip source-route
ip flow-cache timeout active 1
!
!
ip telnet source-interface GigabitEthernet1/0.850
ip domain name test.org
ip name-server 1.2.3.10
ip name-server 1.2.3.11
!
no ip bootp server
!
ip cef
virtual-profile if-needed
vpdn enable
vpdn source-ip aaa.bbb.lo0.1
vpdn logging
vpdn logging local
vpdn logging remote
vpdn logging user
vpdn logging tunnel-drop
vpdn search-order domain
vpdn domain-delimiter @ suffix
!
vpdn-group collecte
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
source-ip aaa.bbb.lo0.1
local name tunnel-l
lcp renegotiation always
no l2tp tunnel authentication
!
vpdn-group vcollecte
accept-dialin
protocol l2tp
virtual-template 2
source-ip aaa.bbb.fa0.1
local name tunnel-l2
lcp renegotiation always
no l2tp tunnel authentication
!
clns routing
!
!
interface Loopback0
description Loopback
ip address aaa.bbb.lo0.1 255.255.255.255
!
interface FastEthernet0/0
ip address aaa.bbb.fa0.1 255.255.255.0
duplex full
!
interface GigabitEthernet1/0
description NetIron Eth50
no ip address
ip route-cache flow
negotiation auto
!
interface GigabitEthernet1/0.850
description COLLECTE_ADSL
encapsulation dot1Q 850
ip address aaa.aaa.cc1.14 255.255.255.248
ip router isis
no snmp trap link-status
tag-switching ip
clns router isis
!
interface GigabitEthernet4/0
description To LACs
ip address a.b.x.6 255.255.255.252
no negotiation auto
!
interface Virtual-Template1
description Virtual-Templace ARRIVEE DSL GENERAL PHASE 1
ip unnumbered Loopback0
ip mtu 1492
ip route-cache flow
ip tcp adjust-mss 1420
peer default ip address pool l2tp
ppp authentication chap pap callin ADSL
ppp authorization ADSL
ppp accounting ADSL
!
interface Virtual-Template2
description Virtual Template avec encapsulation dans un VLAN
ip unnumbered FastEthernet0/0
ip mtu 1492
ip route-cache flow
ip tcp adjust-mss 1420
no peer default ip address
ppp authentication chap pap callin ADSL
ppp authorization ADSL
ppp accounting ADSL
!
router isis
net 49.xxxx.xxxx.xxxx.xxxx.xx
ip fast-convergence
log-adjacency-changes
redistribute connected route-map ADSL-Foo level-1-2
redistribute static ip route-map ADSL-Foo
redistribute bgp 1234 level-1-2
!
router bgp 1234
! :)
!
ip local pool l2tp 1.2.2.0 1.2.3.255
ip classless
ip route aaa.bbb.lo0.1 255.255.255.255 Loopback0
!
!
!
ip prefix-list L_in seq 5 deny 0.0.0.0/0
ip prefix-list L_in seq 10 deny 0.0.0.0/8 le 32
ip prefix-list L_in seq 15 deny 10.0.0.0/8 le 32
ip prefix-list L_in seq 20 deny 127.0.0.0/8 le 32
ip prefix-list L_in seq 25 deny 169.254.0.0/16 le 32
ip prefix-list L_in seq 30 deny 172.16.0.0/12 le 32
ip prefix-list L_in seq 35 deny 192.0.2.0/24 le 32
ip prefix-list L_in seq 40 deny 192.168.0.0/16 le 32
ip prefix-list L_in seq 45 deny 221.10.0.0/19 le 32
ip prefix-list L_in seq 50 deny 224.0.0.0/3 le 32
ip prefix-list L_in seq 55 permit 0.0.0.0/0 le 32
!
ip prefix-list L_out seq 5 permit aaa.aaa.aaa.1/32
ip prefix-list L_out seq 20 permit aaa.aaa.aaa.0/29
ip prefix-list L_out seq 50 deny 0.0.0.0/0 le 32
!
logging trap debugging
logging source-interface GigabitEthernet1/0.850
logging aaa.bbb.ccc.4
access-list 20 permit aa.0.0.0 0.255.255.255
access-list 20 deny any log
access-list 97 remark ACL de management SNMP pour les radius
access-list 97 permit aaa.bbb.ccc.5
access-list 97 permit aaa.bbb.ccc.6
access-list 97 deny any
access-list 99 remark ACL de management SNMP
access-list 99 permit aaa.bbb.ccc.4
access-list 99 deny any
!
route-map ADSL-Foo deny 10
match interface FastEthernet0/0
!
route-map ADSL-Foo permit 20
match interface Virtual-Template1 Loopback0
!
snmp-server community .... RO 99
snmp-server community .... RO 97
snmp ifmib ifalias long
!
!
radius-server dead-criteria time 5 tries 4
radius-server host aaa.bbb.ccc.5 auth-port 1812 acct-port 1813 key
7 ....
radius-server host aaa.bbb.ccc.6 auth-port 1812 acct-port 1813 key
7 ....
radius-server deadtime 1
!
!
dial-peer cor custom
!
!
!
gateway
!
!
gatekeeper
shutdown
!

Thanks !

/Xavier
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
RE: Multiple vpdn-groups, l2tp and radius... [ In reply to ]
oboehmer at cisco
Feb 15, 2006, 9:46 AM
Post #2 of 2 (8196 views)
Permalink
Xavier,

you cannot assign the local vpdn-group/virtual-template at user
authentication time, this can only be done when the l2TP session comes
in. The selection is purely based on the tunnel's name (terminate-from
hostname <name> within the vpdn-group). Since you use default
vpdn-groups (no "terminate-from" in the vpdn-group config), all your
sessions will terminate within the group "collecte", the 2nd group is
not used at all.
The destination IP address is not used to select vpdn-groups..

To change this, the LAC (not the LNS) needs to use a different tunnel
name than its hostname, for instance "Tunnel-Client-Auth-ID =
vcollecte", and you configure

vpdn-group vcollecte
accept-dialin
protocol l2tp
virtual-template 2
source-ip aaa.bbb.fa0.1
terminate-from hostname vcollecte
local name tunnel-l2
lcp renegotiation always
no l2tp tunnel authentication

I think you need to enable l2tp tunnel authentication, not 100% sure..

Regarding the address redistribution (even though I think it always a
bad idea to redistribute PPP user's /32 into your IGP directly, please
try to summarize): You need to match against ACLs in your route-map..
You cannot match against interfaces as the users are terminated on
virtual-access interfaces which you cannot use in "match interface")..

oli

Xavier Beaudouin <> wrote on Wednesday, February 15, 2006 6:28 PM:

> Hello there,
>
>
> I am in the process to install an LNS for ADSL L2TP tunnel ending.
>
> I am looking forward a way to provide the right Virtual Template
> provided by a Radius, with a default Virtual Template when a virtual
> template is not provided by the Radius.
>
> Here is Radius entry for user that should use a vpdn-group, but it
> seems I have missed something.... ?
>
> Also in this configuration, I need that some Virtual Template that is
> inherited be exported using ISIS.... Doesn't seesm to works
> anymore... :/
>
> radtest Test2 Test2 127.0.0.1 0 <verysecret>
> Sending Access-Request of id 107 to 127.0.0.1:1812
> User-Name = "Test2"
> User-Password = "Test2"
> NAS-IP-Address = radius1
> NAS-Port = 0
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=107,
> length=161
> Framed-IP-Address = aaa.bbb.fa0.3
> Cisco-AVPair = "vpdn:vpdn-group=vcollecte"
> Framed-Compression = Van-Jacobson-TCP-IP
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Framed-MTU = 1492
> Framed-Routing = None
> Framed-IP-Netmask = 255.255.255.255
> Idle-Timeout = 3600
> Ascend-Client-Primary-DNS = 1.2.3.10
> Ascend-Client-Secondary-DNS = 1.2.2.11
> Tunnel-Type:0 = L2TP
> Tunnel-Medium-Type:0 = IP
> Class = 0x123456789
> Tunnel-Server-Endpoint:0 = "aaa.bbb.lo0.1"
>

_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal