[c-nsp] assigning pptp users to specific vpdn groups (orvirtual-templates)

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Sun Aug 5 04:11:50 EDT 2007 

Roy Blamski <> wrote on Friday, August 03, 2007 8:53 PM:

> I'm currently using the following setup on a 2851 (12.4) for incoming
> pptp connections:
> 
> vpdn-group pptp-dialin
> ! Default PPTP VPDN group
>  description PPTP dialin users
>  accept-dialin
>   protocol pptp
>   virtual-template 1
> 
> interface Virtual-Template1
>  ip unnumbered GigabitEthernet0/0
>  ip nat inside
>  ip virtual-reassembly
>  peer default ip address pool pptp-pool
>  ppp encrypt mppe auto
>  ppp authentication ms-chap-v2 ms-chap
> 
> auth is done via a radius server.  i can assign users to specific
> address pools via:
> 
> Cisco-AVPair := "ip:addr-pool=pptp-pool"
> 
> but is there a way to assign them to different virtual templates?  I
> had thought that this would do the trick:
> Cisco-AVPair := "vpdn:vpdn-vtemplate=10"
> 
> but it doesn't seem to work (i did have a virtual-template10).  is
> what i want to do possible?

currently, the only option is to split this up into different
vpdn-groups by using the "terminate-from hostname <name>" command within
the vpdn-group and have the LAC assign a different tunnel hostname for
each session. 

You cannot do this on a per-user basis on the LNS, as the choice of
vtemplate also defines the authentication type, so once you authenticate
the user, the vtemplate selection has already been made. So unless you
own the LAC (or have the LAC ask your AAA server), doing this on a
per-user basis is tricky :-|

The "vpdn:vpdn-vtemplate" is essentially the same, this is used as part
of the LNS tunnel authorization feature which basically replaces a
static vpdn-group configuration on the LNS by a dynamic Radius solution.

What are you trying to accomplish? You can apply arbitrary interface
configuration commands during the user authorization phase
("lcp:interface-config=<cmd>"), so apart from authentication, you should
be able to set up the resulting virtual-access interface as you desire,
even if you use a common vtemplate.

I'm not up to date with recent Intelligent Service Gateway (ISG)
functionality in 12.2SB, maybe there are options with the new
infrastructure there.

	oli

More information about the cisco-nsp mailing list