[cisco-bba] aaa authorization question
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Dec 24 12:06:08 EST 2003
Hi Clayton,
>
> I've set up a test-bed system for tunnel switching on a Cisco 2611
> (12.3(3)), and am having some issues.
>
> Typically, we put the statement "aaa authorization network default
> group radius" in to allow RADIUS to specify an IP address for a user
> in the Framed-IP-Address attribute.
>
> Unfortunately, when I configure this, RADIUS is then used for the
> Tunnel destinations, rather than what is configured in the VPDN group:
>
> [...]
> The problem arises in that I'd like to use the local configuration,
> rather than the RADIUS response to determine where to tunnel a user,
> but also locally terminate users who are not tunneled, but still
> allow assigning an IP address through the Framed-IP-Address RADIUS
> attribute.
>
> This device would be acting as a PPPoE aggregator - inbound sessions
> on another vpdn group.
>
> Suggestions?
use a different AAA method list for locally terminated ppp users, i.e.
aaa new-model
aaa authentication ppp PPP_LOCAL group radius
aaa authorization network PPP_LOCAL group radius
aaa authorization network default local
and reference the PPP_LOCAL methods in your vtemplate
int virtual-template 1
[...]
ppp authentication chap pap PPP_LOCAL
ppp authorization PPP_LOCAL
So your ppp users will continue to use radius while the vpdn
authorization will be done locally.
oli
More information about the cisco-bba
mailing list