[cisco-bba] Multiple vpdn-groups, l2tp and radius...
Xavier Beaudouin
kiwi at oav.net
Wed Feb 15 12:27:44 EST 2006
Hello there,
I am in the process to install an LNS for ADSL L2TP tunnel ending.
I am looking forward a way to provide the right Virtual Template
provided by a Radius, with a default Virtual Template when a virtual
template is not provided by the Radius.
Here is Radius entry for user that should use a vpdn-group, but it
seems I have missed something.... ?
Also in this configuration, I need that some Virtual Template that is
inherited be exported using ISIS.... Doesn't seesm to works
anymore... :/
radtest Test2 Test2 127.0.0.1 0 <verysecret>
Sending Access-Request of id 107 to 127.0.0.1:1812
User-Name = "Test2"
User-Password = "Test2"
NAS-IP-Address = radius1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=107,
length=161
Framed-IP-Address = aaa.bbb.fa0.3
Cisco-AVPair = "vpdn:vpdn-group=vcollecte"
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1492
Framed-Routing = None
Framed-IP-Netmask = 255.255.255.255
Idle-Timeout = 3600
Ascend-Client-Primary-DNS = 1.2.3.10
Ascend-Client-Secondary-DNS = 1.2.2.11
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IP
Class = 0x123456789
Tunnel-Server-Endpoint:0 = "aaa.bbb.lo0.1"
Here is configuration of 7206 with NPE 400 :
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname lns-1
!
boot-start-marker
boot system flash disk0:c7200-js-mz.123-17a.bin
boot-end-marker
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
!
aaa new-model
!
!
aaa group server radius ADSL
server aaa.bbb.ccc.5 auth-port 1812 acct-port 1813
server aaa.bbb.ccc.6 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp ADSL group ADSL
aaa authorization config-commands
aaa authorization exec default local
aaa authorization network ADSL group ADSL
aaa accounting delay-start
aaa accounting network ADSL start-stop group ADSL
aaa session-id common
ip subnet-zero
no ip source-route
ip flow-cache timeout active 1
!
!
ip telnet source-interface GigabitEthernet1/0.850
ip domain name test.org
ip name-server 1.2.3.10
ip name-server 1.2.3.11
!
no ip bootp server
!
ip cef
virtual-profile if-needed
vpdn enable
vpdn source-ip aaa.bbb.lo0.1
vpdn logging
vpdn logging local
vpdn logging remote
vpdn logging user
vpdn logging tunnel-drop
vpdn search-order domain
vpdn domain-delimiter @ suffix
!
vpdn-group collecte
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
source-ip aaa.bbb.lo0.1
local name tunnel-l
lcp renegotiation always
no l2tp tunnel authentication
!
vpdn-group vcollecte
accept-dialin
protocol l2tp
virtual-template 2
source-ip aaa.bbb.fa0.1
local name tunnel-l2
lcp renegotiation always
no l2tp tunnel authentication
!
clns routing
!
!
interface Loopback0
description Loopback
ip address aaa.bbb.lo0.1 255.255.255.255
!
interface FastEthernet0/0
ip address aaa.bbb.fa0.1 255.255.255.0
duplex full
!
interface GigabitEthernet1/0
description NetIron Eth50
no ip address
ip route-cache flow
negotiation auto
!
interface GigabitEthernet1/0.850
description COLLECTE_ADSL
encapsulation dot1Q 850
ip address aaa.aaa.cc1.14 255.255.255.248
ip router isis
no snmp trap link-status
tag-switching ip
clns router isis
!
interface GigabitEthernet4/0
description To LACs
ip address a.b.x.6 255.255.255.252
no negotiation auto
!
interface Virtual-Template1
description Virtual-Templace ARRIVEE DSL GENERAL PHASE 1
ip unnumbered Loopback0
ip mtu 1492
ip route-cache flow
ip tcp adjust-mss 1420
peer default ip address pool l2tp
ppp authentication chap pap callin ADSL
ppp authorization ADSL
ppp accounting ADSL
!
interface Virtual-Template2
description Virtual Template avec encapsulation dans un VLAN
ip unnumbered FastEthernet0/0
ip mtu 1492
ip route-cache flow
ip tcp adjust-mss 1420
no peer default ip address
ppp authentication chap pap callin ADSL
ppp authorization ADSL
ppp accounting ADSL
!
router isis
net 49.xxxx.xxxx.xxxx.xxxx.xx
ip fast-convergence
log-adjacency-changes
redistribute connected route-map ADSL-Foo level-1-2
redistribute static ip route-map ADSL-Foo
redistribute bgp 1234 level-1-2
!
router bgp 1234
! :)
!
ip local pool l2tp 1.2.2.0 1.2.3.255
ip classless
ip route aaa.bbb.lo0.1 255.255.255.255 Loopback0
!
!
!
ip prefix-list L_in seq 5 deny 0.0.0.0/0
ip prefix-list L_in seq 10 deny 0.0.0.0/8 le 32
ip prefix-list L_in seq 15 deny 10.0.0.0/8 le 32
ip prefix-list L_in seq 20 deny 127.0.0.0/8 le 32
ip prefix-list L_in seq 25 deny 169.254.0.0/16 le 32
ip prefix-list L_in seq 30 deny 172.16.0.0/12 le 32
ip prefix-list L_in seq 35 deny 192.0.2.0/24 le 32
ip prefix-list L_in seq 40 deny 192.168.0.0/16 le 32
ip prefix-list L_in seq 45 deny 221.10.0.0/19 le 32
ip prefix-list L_in seq 50 deny 224.0.0.0/3 le 32
ip prefix-list L_in seq 55 permit 0.0.0.0/0 le 32
!
ip prefix-list L_out seq 5 permit aaa.aaa.aaa.1/32
ip prefix-list L_out seq 20 permit aaa.aaa.aaa.0/29
ip prefix-list L_out seq 50 deny 0.0.0.0/0 le 32
!
logging trap debugging
logging source-interface GigabitEthernet1/0.850
logging aaa.bbb.ccc.4
access-list 20 permit aa.0.0.0 0.255.255.255
access-list 20 deny any log
access-list 97 remark ACL de management SNMP pour les radius
access-list 97 permit aaa.bbb.ccc.5
access-list 97 permit aaa.bbb.ccc.6
access-list 97 deny any
access-list 99 remark ACL de management SNMP
access-list 99 permit aaa.bbb.ccc.4
access-list 99 deny any
!
route-map ADSL-Foo deny 10
match interface FastEthernet0/0
!
route-map ADSL-Foo permit 20
match interface Virtual-Template1 Loopback0
!
snmp-server community .... RO 99
snmp-server community .... RO 97
snmp ifmib ifalias long
!
!
radius-server dead-criteria time 5 tries 4
radius-server host aaa.bbb.ccc.5 auth-port 1812 acct-port 1813 key
7 ....
radius-server host aaa.bbb.ccc.6 auth-port 1812 acct-port 1813 key
7 ....
radius-server deadtime 1
!
!
dial-peer cor custom
!
!
!
gateway
!
!
gatekeeper
shutdown
!
Thanks !
/Xavier
More information about the cisco-bba
mailing list