[c-nsp] Re: VPDN & RAIDUS Problems/configurations

M.Palis security at cytanet.com.cy
Fri Nov 26 04:52:09 EST 2004 

Oli Hi
Everything works fine with the Tunnel-Client-Auth-Id = :1:vpntest
attribute..

The only think that remain is that I have to globally  assigned the name of
the user that returns the tunnel attributes using the ip host command as
below.

ip host vpn 192.168.1.1

>From the debugs I found out that when the LAC radius returns the tunnel
attributs to the LAC, the LAC forwards the attributes to the LNS in order to
establish the tunnel, but the LNS tries to resolve the host name (in my case
VPN). In case it does not resolve it, it drops the tunnel. If I configure it
statically on the LNS then everything works fine. I search  Cisco but I did
not found any documentation to overcome this problem. I disable
domain-lookup on router without any success. Problem know is that for every
customer VPN I have to statically configure the names on the LNS which is
not what we want. We are thinking of create DNS entries on our DNS, but I
believe their must be a way to do it on the LNS.

vpn     Password="cisco", Service-Type = Outbound-User
>         Tunnel-Type = :1:L2TP,
>         Tunnel-Medium-Type = :1:IP,
>         Tunnel-Server-Endpoint = :1:1192.168.1.1,
>         Tunnel-Assignment-ID = :1:vpntest,
>         Tunnel-Password = :1:test

Thanks again  for your support

----- Original Message ----- 
From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
To: "M.Palis" <security at cytanet.com.cy>; <cisco-nsp at puck.nether.net>
Sent: Thursday, November 25, 2004 11:18 AM
Subject: RE: VPDN & RAIDUS Problems/configurations



> Thank you all for your suggestions.
> I do face another problem now concerning VPDNS. We Have a couple of
> Access-Servers (AS5300 and AS5350). We want to enable VPDN on them
> but not
> any tunnel Parameters. Tunnel parameters will be send to the ASs via a
> radius
>
> I configure my radius server with the following tunnel parameters.
>
> vpn     Password="cisco", Service-Type = Outbound-User
>         Tunnel-Type = :1:L2TP,
>         Tunnel-Medium-Type = :1:IP,
>         Tunnel-Server-Endpoint = :1:1192.168.1.1,
>         Tunnel-Assignment-ID = :1:vpntest,
>         Tunnel-Password = :1:test
>
> What happens know is that in Order for the tunnel to be establish the
> LNS requires that we change the host na,e of the LAC to vpntest
because
> it seems  that the LAC does not send the tunnel ID as the one it
receives vi
> radius (vpntest). In case we change the LAC host name to vpntest,
> tunnel is establish.

Please use

Tunnel-Server-Auth-Id = :1:vpntest

tunnel-assignment-id is something different, see
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_
guide09186a00800b5db1.html

oli

More information about the cisco-nsp mailing list