[cisco-bba] "vpdn authen-before-forward" & specific radius forvpdn

Matyas Szilard szilard.matyas at enternet.hu
Thu Nov 20 09:01:32 EST 2003


hi,

if you use different dnis number based vpdn:

The situation is better, because you could create separate group servers

aaa group server radius OTHERRADIUS
 server x.x.x.x auth-port 1812 acct-port 1813

then you use the aaa dnis maps to use different radius server  for different
numbers

aaa dnis map enable
aaa dnis map 213 authentication ppp group OTHERRADIUS
aaa dnis map 213 authorization network group OTHERRADIUS
aaa dnis map 213 accounting network start-stop group OTHERRADIUS

If a user dial-in to dnis 213, it send every aaa request to a radius server
configured in OTHERRADIUS group.

szicsu









----- Original Message ----- 
From: "Dennis Peng" <dpeng at cisco.com>
To: "Tassos Chatzithomaoglou" <achatz at forthnet.gr>
Cc: "cisco-bba" <cisco-bba at puck.nether.net>
Sent: Wednesday, November 19, 2003 8:55 PM
Subject: Re: [cisco-bba] "vpdn authen-before-forward" & specific radius
forvpdn


> Dennis Peng [dpeng at cisco.com] wrote:
> > Tassos Chatzithomaoglou [achatz at forthnet.gr] wrote:
> > > If i use "vpdn authen-before-forward" & "vpdn aaa override-server
x.x.x.x"
> > > on a LAC, will radius server x.x.x.x be used for authentication of
vpdn
> > > sessions too?
> > > Or will it be used only for vpdn tunnel authorization?
> >
> > Only for tunnel authorization.
> >
> > > If the above is not working, is there a way (besides the
directed-request
> > > "hack") i can have vpdn users authenticated on the LAC (before the
actual
> > > forwarding to the LNS) in a different radius server from the default
used
> > > for local users?
> >
> > No, not really. The LAC doesn't "know" whether the user is a VPDN one
> > or not prior to authentication.
> >
> > > Also, why is "vpdn aaa override-server" not supported on 5350?
> >
> > The command has been deprecated. If you try to configure it in
> > 12.3(1a), you'll see:
> >
> > router(config)#vpdn aaa override-server 1.2.3.4
> >  VPDN Warning, override-server is no longer supported.
> >  Use "vpdn authorization" under interface context.
> >
> > You should be able to use the "vpdn tunnel authorization network
> > <method list>" command to replace the override-server
> > functionality. But I see two problems here, one the command is only in
> > 12.2B/12.3B/12.3(4)T or later. And second it doesn't seem to have any
> > effect on the LAC. I'll need to investigate.
>
> Sorry, I got confused here. The replacement command is "vpdn
> authorization <method list>" under the interface. "vpdn tunnel
> authorization network <method list>" is for something else.
>
> Dennis
>
> > Dennis
> >
> > > AS5300 (12.2(15)T8)
> > > ------------------------
> > > AS5300(config)#vpdn aaa ?
> > >   attribute        Customize selected aaa attributes
> > >   override-server  Designate AAA server for VPDN authorization
> > >   untagged         Untagged attribute from AAA server
> > >
> > >
> > > AS5350 (12.3(1a))
> > > -----------------
> > > AS5350(config)#vpdn aaa ?
> > >   attribute  Customize selected aaa attributes
> > >   untagged   Untagged attribute from AAA server
> > >
> > > -- 
> > > ***********************************
> > >    Chatzithomaoglou Anastasios
> > > Network Design & Operations Center
> > >           FORTHnet S.A.
> > >       <achatz at forthnet.gr>
> > > ***********************************
> > >
> > >
> > > _______________________________________________
> > > cisco-bba mailing list
> > > cisco-bba at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-bba
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>



More information about the cisco-bba mailing list