[cisco-bba] "vpdn authen-before-forward" & specific radius forvpdn
Tassos Chatzithomaoglou
achatz at forthnet.gr
Thu Nov 20 09:09:32 EST 2003
If our PTT provided us with dnis numbers, that would be a good idea ;-)
Matyas Szilard wrote:
> hi,
>
> if you use different dnis number based vpdn:
>
> The situation is better, because you could create separate group servers
>
> aaa group server radius OTHERRADIUS
> server x.x.x.x auth-port 1812 acct-port 1813
>
> then you use the aaa dnis maps to use different radius server for different
> numbers
>
> aaa dnis map enable
> aaa dnis map 213 authentication ppp group OTHERRADIUS
> aaa dnis map 213 authorization network group OTHERRADIUS
> aaa dnis map 213 accounting network start-stop group OTHERRADIUS
>
> If a user dial-in to dnis 213, it send every aaa request to a radius server
> configured in OTHERRADIUS group.
>
> szicsu
>
>
>
>
>
>
>
>
>
> ----- Original Message -----
> From: "Dennis Peng" <dpeng at cisco.com>
> To: "Tassos Chatzithomaoglou" <achatz at forthnet.gr>
> Cc: "cisco-bba" <cisco-bba at puck.nether.net>
> Sent: Wednesday, November 19, 2003 8:55 PM
> Subject: Re: [cisco-bba] "vpdn authen-before-forward" & specific radius
> forvpdn
>
>
>
>>Dennis Peng [dpeng at cisco.com] wrote:
>>
>>>Tassos Chatzithomaoglou [achatz at forthnet.gr] wrote:
>>>
>>>>If i use "vpdn authen-before-forward" & "vpdn aaa override-server
>
> x.x.x.x"
>
>>>>on a LAC, will radius server x.x.x.x be used for authentication of
>
> vpdn
>
>>>>sessions too?
>>>>Or will it be used only for vpdn tunnel authorization?
>>>
>>>Only for tunnel authorization.
>>>
>>>
>>>>If the above is not working, is there a way (besides the
>
> directed-request
>
>>>>"hack") i can have vpdn users authenticated on the LAC (before the
>
> actual
>
>>>>forwarding to the LNS) in a different radius server from the default
>
> used
>
>>>>for local users?
>>>
>>>No, not really. The LAC doesn't "know" whether the user is a VPDN one
>>>or not prior to authentication.
>>>
>>>
>>>>Also, why is "vpdn aaa override-server" not supported on 5350?
>>>
>>>The command has been deprecated. If you try to configure it in
>>>12.3(1a), you'll see:
>>>
>>>router(config)#vpdn aaa override-server 1.2.3.4
>>> VPDN Warning, override-server is no longer supported.
>>> Use "vpdn authorization" under interface context.
>>>
>>>You should be able to use the "vpdn tunnel authorization network
>>><method list>" command to replace the override-server
>>>functionality. But I see two problems here, one the command is only in
>>>12.2B/12.3B/12.3(4)T or later. And second it doesn't seem to have any
>>>effect on the LAC. I'll need to investigate.
>>
>>Sorry, I got confused here. The replacement command is "vpdn
>>authorization <method list>" under the interface. "vpdn tunnel
>>authorization network <method list>" is for something else.
>>
>>Dennis
>>
>>
>>>Dennis
>>>
>>>
>>>>AS5300 (12.2(15)T8)
>>>>------------------------
>>>>AS5300(config)#vpdn aaa ?
>>>> attribute Customize selected aaa attributes
>>>> override-server Designate AAA server for VPDN authorization
>>>> untagged Untagged attribute from AAA server
>>>>
>>>>
>>>>AS5350 (12.3(1a))
>>>>-----------------
>>>>AS5350(config)#vpdn aaa ?
>>>> attribute Customize selected aaa attributes
>>>> untagged Untagged attribute from AAA server
>>>>
>>>>--
>>>>***********************************
>>>> Chatzithomaoglou Anastasios
>>>>Network Design & Operations Center
>>>> FORTHnet S.A.
>>>> <achatz at forthnet.gr>
>>>>***********************************
>>>>
>>>>
>>>>_______________________________________________
>>>>cisco-bba mailing list
>>>>cisco-bba at puck.nether.net
>>>>https://puck.nether.net/mailman/listinfo/cisco-bba
>>
>>_______________________________________________
>>cisco-bba mailing list
>>cisco-bba at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-bba
>>
>
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz at forthnet.gr>
***********************************
More information about the cisco-bba
mailing list