[cisco-bba] vpdn multihop & aaa

Tassos Chatzithomaoglou achatz at forthnet.gr
Wed Aug 4 12:15:52 EDT 2004 

Quite strangely, i'm geting the following "error" message:

Aug  4 19:09:26.529: ppp217 PPP: Phase is FORWARDING, Attempting Forward
Aug  4 19:09:26.533: AAA/AUTHOR (0xF6): Pick method list 'VPDN-AAA' - FAIL
Aug  4 19:09:26.533: AAA/AUTHOR (0xF6): Pick method list 'VPDN-AAA'
Aug  4 19:09:26.541:  Tnl/Sn 50748/295 L2TP: Session FS enabled
Aug  4 19:09:26.541:  Tnl/Sn 50748/295 L2TP: Session state change from idle to wait-for-tunnel
Aug  4 19:09:26.541: uid:217 Tnl/Sn 50748/295 L2TP: Create session

but it works !!!!

PS: VPDN-AAA is my vpdn aaa method.

I'll give it some more tests and see if there are any other problems.

Dennis Peng wrote:

> A long shot would be to try configuring:
> 
> aaa authorization network use-local local
> interface virtual-template X
>  vpdn authorization use-local
> 
> Not sure this will work with multihop though...
> 
> Dennis
> 
> Tassos Chatzithomaoglou [achatz at forthnet.gr] wrote:
> 
>>The network topology is:
>>
>>LAC <--> LNS1 <--> LNS2
>>
>>
>>I have configured LNS1 for vpdn multihop, but i have come into the 
>>following "problem":
>>
>>If i use "aaa authorization network default group tacacs+",
>>then LNS1 asks tacacs about the outgoing vpdn creation, instead of using 
>>the following localy configured vpdn-group, so vpdn forwarding isn't 
>>working (tacacs provides the vpdn info for the LAC also, so i'm getting a 
>>vpdn "loop" there).
>>
>>vpdn-group LNS1-2-LNS2
>> request-dialin
>>  protocol l2tp
>>  domain test.gr
>> initiate-to ip x.x.x.x
>> local name LNS1
>>
>>If i use "aaa authorization network default local group tacacs+",
>>then LNS1 uses the local vpdn-group and everything works fine.
>>
>>Is there a way i can define an aaa authorization method (which will use 
>>local aaa) explicity for this vpdn?
>>
>>If i don't want to change the "aaa authorization network default group 
>>tacacs+", what else can i do in order to make the outgoing vpdn use the 
>>local configured config instead of the tacacs one? I though this was the 
>>default behaviour :-( until i tried it.
>>_______________________________________________
>>cisco-bba mailing list
>>cisco-bba at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-bba
> 
>

More information about the cisco-bba mailing list