[cisco-bba] vpdn multihop & aaa
Tassos Chatzithomaoglou
achatz at forthnet.gr
Wed Aug 4 12:15:52 EDT 2004
Quite strangely, i'm geting the following "error" message:
Aug 4 19:09:26.529: ppp217 PPP: Phase is FORWARDING, Attempting Forward
Aug 4 19:09:26.533: AAA/AUTHOR (0xF6): Pick method list 'VPDN-AAA' - FAIL
Aug 4 19:09:26.533: AAA/AUTHOR (0xF6): Pick method list 'VPDN-AAA'
Aug 4 19:09:26.541: Tnl/Sn 50748/295 L2TP: Session FS enabled
Aug 4 19:09:26.541: Tnl/Sn 50748/295 L2TP: Session state change from idle to wait-for-tunnel
Aug 4 19:09:26.541: uid:217 Tnl/Sn 50748/295 L2TP: Create session
but it works !!!!
PS: VPDN-AAA is my vpdn aaa method.
I'll give it some more tests and see if there are any other problems.
Dennis Peng wrote:
> A long shot would be to try configuring:
>
> aaa authorization network use-local local
> interface virtual-template X
> vpdn authorization use-local
>
> Not sure this will work with multihop though...
>
> Dennis
>
> Tassos Chatzithomaoglou [achatz at forthnet.gr] wrote:
>
>>The network topology is:
>>
>>LAC <--> LNS1 <--> LNS2
>>
>>
>>I have configured LNS1 for vpdn multihop, but i have come into the
>>following "problem":
>>
>>If i use "aaa authorization network default group tacacs+",
>>then LNS1 asks tacacs about the outgoing vpdn creation, instead of using
>>the following localy configured vpdn-group, so vpdn forwarding isn't
>>working (tacacs provides the vpdn info for the LAC also, so i'm getting a
>>vpdn "loop" there).
>>
>>vpdn-group LNS1-2-LNS2
>> request-dialin
>> protocol l2tp
>> domain test.gr
>> initiate-to ip x.x.x.x
>> local name LNS1
>>
>>If i use "aaa authorization network default local group tacacs+",
>>then LNS1 uses the local vpdn-group and everything works fine.
>>
>>Is there a way i can define an aaa authorization method (which will use
>>local aaa) explicity for this vpdn?
>>
>>If i don't want to change the "aaa authorization network default group
>>tacacs+", what else can i do in order to make the outgoing vpdn use the
>>local configured config instead of the tacacs one? I though this was the
>>default behaviour :-( until i tried it.
>>_______________________________________________
>>cisco-bba mailing list
>>cisco-bba at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-bba
>
>
More information about the cisco-bba
mailing list