[cisco-bba] "vpdn authen-before-forward" & specific radius forvpdn

Tassos Chatzithomaoglou achatz at forthnet.gr
Thu Nov 20 09:09:32 EST 2003 

If our PTT provided us with dnis numbers, that would be a good idea ;-)

Matyas Szilard wrote:

> hi,
> 
> if you use different dnis number based vpdn:
> 
> The situation is better, because you could create separate group servers
> 
> aaa group server radius OTHERRADIUS
>  server x.x.x.x auth-port 1812 acct-port 1813
> 
> then you use the aaa dnis maps to use different radius server  for different
> numbers
> 
> aaa dnis map enable
> aaa dnis map 213 authentication ppp group OTHERRADIUS
> aaa dnis map 213 authorization network group OTHERRADIUS
> aaa dnis map 213 accounting network start-stop group OTHERRADIUS
> 
> If a user dial-in to dnis 213, it send every aaa request to a radius server
> configured in OTHERRADIUS group.
> 
> szicsu
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ----- Original Message ----- 
> From: "Dennis Peng" <dpeng at cisco.com>
> To: "Tassos Chatzithomaoglou" <achatz at forthnet.gr>
> Cc: "cisco-bba" <cisco-bba at puck.nether.net>
> Sent: Wednesday, November 19, 2003 8:55 PM
> Subject: Re: [cisco-bba] "vpdn authen-before-forward" & specific radius
> forvpdn
> 
> 
> 
>>Dennis Peng [dpeng at cisco.com] wrote:
>>
>>>Tassos Chatzithomaoglou [achatz at forthnet.gr] wrote:
>>>
>>>>If i use "vpdn authen-before-forward" & "vpdn aaa override-server
> 
> x.x.x.x"
> 
>>>>on a LAC, will radius server x.x.x.x be used for authentication of
> 
> vpdn
> 
>>>>sessions too?
>>>>Or will it be used only for vpdn tunnel authorization?
>>>
>>>Only for tunnel authorization.
>>>
>>>
>>>>If the above is not working, is there a way (besides the
> 
> directed-request
> 
>>>>"hack") i can have vpdn users authenticated on the LAC (before the
> 
> actual
> 
>>>>forwarding to the LNS) in a different radius server from the default
> 
> used
> 
>>>>for local users?
>>>
>>>No, not really. The LAC doesn't "know" whether the user is a VPDN one
>>>or not prior to authentication.
>>>
>>>
>>>>Also, why is "vpdn aaa override-server" not supported on 5350?
>>>
>>>The command has been deprecated. If you try to configure it in
>>>12.3(1a), you'll see:
>>>
>>>router(config)#vpdn aaa override-server 1.2.3.4
>>> VPDN Warning, override-server is no longer supported.
>>> Use "vpdn authorization" under interface context.
>>>
>>>You should be able to use the "vpdn tunnel authorization network
>>><method list>" command to replace the override-server
>>>functionality. But I see two problems here, one the command is only in
>>>12.2B/12.3B/12.3(4)T or later. And second it doesn't seem to have any
>>>effect on the LAC. I'll need to investigate.
>>
>>Sorry, I got confused here. The replacement command is "vpdn
>>authorization <method list>" under the interface. "vpdn tunnel
>>authorization network <method list>" is for something else.
>>
>>Dennis
>>
>>
>>>Dennis
>>>
>>>
>>>>AS5300 (12.2(15)T8)
>>>>------------------------
>>>>AS5300(config)#vpdn aaa ?
>>>>  attribute        Customize selected aaa attributes
>>>>  override-server  Designate AAA server for VPDN authorization
>>>>  untagged         Untagged attribute from AAA server
>>>>
>>>>
>>>>AS5350 (12.3(1a))
>>>>-----------------
>>>>AS5350(config)#vpdn aaa ?
>>>>  attribute  Customize selected aaa attributes
>>>>  untagged   Untagged attribute from AAA server
>>>>
>>>>-- 
>>>>***********************************
>>>>   Chatzithomaoglou Anastasios
>>>>Network Design & Operations Center
>>>>          FORTHnet S.A.
>>>>      <achatz at forthnet.gr>
>>>>***********************************
>>>>
>>>>
>>>>_______________________________________________
>>>>cisco-bba mailing list
>>>>cisco-bba at puck.nether.net
>>>>https://puck.nether.net/mailman/listinfo/cisco-bba
>>
>>_______________________________________________
>>cisco-bba mailing list
>>cisco-bba at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-bba
>>
> 
> 
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
> 

-- 
***********************************
    Chatzithomaoglou Anastasios
Network Design & Operations Center
           FORTHnet S.A.
       <achatz at forthnet.gr>
***********************************

More information about the cisco-bba mailing list