[cisco-bba] aaa authorization question

Clayton Zekelman clayton at MNSi.Net
Wed Dec 24 09:30:23 EST 2003


I've set up a test-bed system for tunnel switching on a Cisco 2611 
(12.3(3)), and am having some issues.

Typically, we put the statement "aaa authorization network default group 
radius" in to allow RADIUS to specify an IP address for a user in the 
Framed-IP-Address attribute.

Unfortunately, when I configure this, RADIUS is then used for the Tunnel 
destinations, rather than what is configured in the VPDN group:

vpdn-group mnsi
         protocol l2tp
         domain mnsi.net
         domain otherisp.com
         domain someone.net
initiate-to ip XXX.XXX.XXX.XXX
local name LONDON47H28
l2tp tunnel password somepassword

The problem arises in that I'd like to use the local configuration, rather 
than the RADIUS response to determine where to tunnel a user, but also 
locally terminate users  who are not tunneled, but still allow assigning an 
IP address through the Framed-IP-Address RADIUS attribute.

This device would be acting as a PPPoE aggregator - inbound sessions on 
another vpdn group.


Clayton Zekelman
Managed Network Systems Inc. (MNSi)
344-300 Tecumseh Rd. E.
Windsor, Ontario
N8X 5E8

tel. 519-985-8410
fax. 519-258-3009 

More information about the cisco-bba mailing list