Mailing List Archive

Euan Galloway <> wrote on Wednesday, August 15, 2007 11:26 PM:

> On Thu, May 03, 2007 at 05:12:32PM +0900, Denis V. Schapov wrote:
>> Hi.
>>
>> Is it possible to get radius attribute 66, Tunnel-Client-Endpoint or
>> it's value on another attribute for incoming VPDN (L2TP, PPTP)
>> connections to LNS in Radius authentication requests for ppp/network
>> authentication/authorization ?
>> Currently this attribute is present only in accounting
>> start/stop/alive.
>> LNS is running 12.2(31)SB3x
>> Tunnel authentication is disabled.
>
> Hmm. Worrying when you google for the answer to this and all
> you find is something else asking it.
>
> Anyone in cisco-bba know?
> Trying to get Tunnel-Client-Endpoint (attribute 66) information (even
> if actually in another attribute) in the RADIUS Access-Request so
> that it can be used in the decision making process. By the time it
> arrives in
> the Start Accounting it's too late.
>
> vpdn questions seem to be pretty randomly distributed between
> cisco-bba, cisco-nas and cisco-nsp, but I thought I'd take a punt in
> here.

there could be more elegant ways of doing this with ISG, but in "legacy"
vpdn code, you can address this using "vpdn aaa attribute nas-ip-address
vpdn-nas" on the LNS. this changes the NAS-IP-Address to the LAC's
address, which could help you. It's not a perfect solution, though..

oli
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

On Thu, Aug 16, 2007 at 06:05:28AM +0200, Oliver Boehmer (oboehmer) wrote:

> there could be more elegant ways of doing this with ISG, but in "legacy"

Possibly, I've not looked at the ISG stuff.
Saw a couple of posts about bad performance, but haven't looked purely
because have not needed the features.

> vpdn code, you can address this using "vpdn aaa attribute nas-ip-address
> vpdn-nas" on the LNS. this changes the NAS-IP-Address to the LAC's
> address, which could help you. It's not a perfect solution, though..

Works perfectly in the lab, thanks for that.
Whether or not it works with BT, who can say...

A cleaner solution would be being able to set any of the optional
attributes seperately for each radius packet type, but I've got what
I want (thankfully/luckily not using the previous contents of NAS-IP-Address
for anything, or at least nothing that can't be worked around) :-)

--
Euan Galloway
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba