[cisco-bba] aaa authorization question

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Dec 24 12:06:08 EST 2003

Hi Clayton,

> I've set up a test-bed system for tunnel switching on a Cisco 2611
> (12.3(3)), and am having some issues.
> Typically, we put the statement "aaa authorization network default
> group radius" in to allow RADIUS to specify an IP address for a user
> in the Framed-IP-Address attribute.
> Unfortunately, when I configure this, RADIUS is then used for the
> Tunnel destinations, rather than what is configured in the VPDN group:
> [...]
> The problem arises in that I'd like to use the local configuration,
> rather than the RADIUS response to determine where to tunnel a user,
> but also locally terminate users  who are not tunneled, but still
> allow assigning an IP address through the Framed-IP-Address RADIUS
> attribute. 
> This device would be acting as a PPPoE aggregator - inbound sessions
> on another vpdn group.
> Suggestions?

use a different AAA method list for locally terminated ppp users, i.e.

aaa new-model
aaa authentication ppp PPP_LOCAL group radius
aaa authorization network PPP_LOCAL group radius
aaa authorization network default local

and reference the PPP_LOCAL methods in your vtemplate

int virtual-template 1
 ppp authentication chap pap PPP_LOCAL
 ppp authorization PPP_LOCAL

So your ppp users will continue to use radius while the vpdn
authorization will be done locally.


More information about the cisco-bba mailing list