[cisco-bba] Multiple vpdn-groups, l2tp and radius...

Xavier Beaudouin kiwi at oav.net
Wed Feb 15 12:27:44 EST 2006 

Hello there,


I am in the process to install an LNS for ADSL L2TP tunnel ending.

I am looking forward a way to provide the right Virtual Template  
provided by a Radius, with a default Virtual Template when a virtual  
template is not provided by the Radius.

Here is Radius entry for user that should use a vpdn-group, but it  
seems I have missed something.... ?

Also in this configuration, I need that some Virtual Template that is  
inherited be exported using ISIS.... Doesn't seesm to works  
anymore... :/

radtest Test2 Test2 127.0.0.1 0 <verysecret>
Sending Access-Request of id 107 to 127.0.0.1:1812
         User-Name = "Test2"
         User-Password = "Test2"
         NAS-IP-Address = radius1
         NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=107,  
length=161
         Framed-IP-Address = aaa.bbb.fa0.3
         Cisco-AVPair = "vpdn:vpdn-group=vcollecte"
         Framed-Compression = Van-Jacobson-TCP-IP
         Framed-Protocol = PPP
         Service-Type = Framed-User
         Framed-MTU = 1492
         Framed-Routing = None
         Framed-IP-Netmask = 255.255.255.255
         Idle-Timeout = 3600
         Ascend-Client-Primary-DNS = 1.2.3.10
         Ascend-Client-Secondary-DNS = 1.2.2.11
         Tunnel-Type:0 = L2TP
         Tunnel-Medium-Type:0 = IP
         Class = 0x123456789
         Tunnel-Server-Endpoint:0 = "aaa.bbb.lo0.1"

Here is configuration of 7206 with NPE 400 :


!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname lns-1
!
boot-start-marker
boot system flash disk0:c7200-js-mz.123-17a.bin
boot-end-marker
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
!
aaa new-model
!
!
aaa group server radius ADSL
server aaa.bbb.ccc.5 auth-port 1812 acct-port 1813
server aaa.bbb.ccc.6 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp ADSL group ADSL
aaa authorization config-commands
aaa authorization exec default local
aaa authorization network ADSL group ADSL
aaa accounting delay-start
aaa accounting network ADSL start-stop group ADSL
aaa session-id common
ip subnet-zero
no ip source-route
ip flow-cache timeout active 1
!
!
ip telnet source-interface GigabitEthernet1/0.850
ip domain name test.org
ip name-server 1.2.3.10
ip name-server 1.2.3.11
!
no ip bootp server
!
ip cef
virtual-profile if-needed
vpdn enable
vpdn source-ip aaa.bbb.lo0.1
vpdn logging
vpdn logging local
vpdn logging remote
vpdn logging user
vpdn logging tunnel-drop
vpdn search-order domain
vpdn domain-delimiter @ suffix
!
vpdn-group collecte
! Default L2TP VPDN group
accept-dialin
   protocol l2tp
   virtual-template 1
source-ip aaa.bbb.lo0.1
local name tunnel-l
lcp renegotiation always
no l2tp tunnel authentication
!
vpdn-group vcollecte
accept-dialin
   protocol l2tp
   virtual-template 2
source-ip aaa.bbb.fa0.1
local name tunnel-l2
lcp renegotiation always
no l2tp tunnel authentication
!
clns routing
!
!
interface Loopback0
description Loopback
ip address aaa.bbb.lo0.1 255.255.255.255
!
interface FastEthernet0/0
ip address aaa.bbb.fa0.1 255.255.255.0
duplex full
!
interface GigabitEthernet1/0
description NetIron Eth50
no ip address
ip route-cache flow
negotiation auto
!
interface GigabitEthernet1/0.850
description COLLECTE_ADSL
encapsulation dot1Q 850
ip address aaa.aaa.cc1.14 255.255.255.248
ip router isis
no snmp trap link-status
tag-switching ip
clns router isis
!
interface GigabitEthernet4/0
description To LACs
ip address a.b.x.6 255.255.255.252
no negotiation auto
!
interface Virtual-Template1
description Virtual-Templace ARRIVEE DSL GENERAL PHASE 1
ip unnumbered Loopback0
ip mtu 1492
ip route-cache flow
ip tcp adjust-mss 1420
peer default ip address pool l2tp
ppp authentication chap pap callin ADSL
ppp authorization ADSL
ppp accounting ADSL
!
interface Virtual-Template2
description Virtual Template avec encapsulation dans un VLAN
ip unnumbered FastEthernet0/0
ip mtu 1492
ip route-cache flow
ip tcp adjust-mss 1420
no peer default ip address
ppp authentication chap pap callin ADSL
ppp authorization ADSL
ppp accounting ADSL
!
router isis
net 49.xxxx.xxxx.xxxx.xxxx.xx
ip fast-convergence
log-adjacency-changes
redistribute connected route-map ADSL-Foo level-1-2
redistribute static ip route-map ADSL-Foo
redistribute bgp 1234 level-1-2
!
router bgp 1234
  ! :)
!
ip local pool l2tp 1.2.2.0 1.2.3.255
ip classless
ip route aaa.bbb.lo0.1 255.255.255.255 Loopback0
!
!
!
ip prefix-list L_in seq 5 deny 0.0.0.0/0
ip prefix-list L_in seq 10 deny 0.0.0.0/8 le 32
ip prefix-list L_in seq 15 deny 10.0.0.0/8 le 32
ip prefix-list L_in seq 20 deny 127.0.0.0/8 le 32
ip prefix-list L_in seq 25 deny 169.254.0.0/16 le 32
ip prefix-list L_in seq 30 deny 172.16.0.0/12 le 32
ip prefix-list L_in seq 35 deny 192.0.2.0/24 le 32
ip prefix-list L_in seq 40 deny 192.168.0.0/16 le 32
ip prefix-list L_in seq 45 deny 221.10.0.0/19 le 32
ip prefix-list L_in seq 50 deny 224.0.0.0/3 le 32
ip prefix-list L_in seq 55 permit 0.0.0.0/0 le 32
!
ip prefix-list L_out seq 5 permit aaa.aaa.aaa.1/32
ip prefix-list L_out seq 20 permit aaa.aaa.aaa.0/29
ip prefix-list L_out seq 50 deny 0.0.0.0/0 le 32
!
logging trap debugging
logging source-interface GigabitEthernet1/0.850
logging aaa.bbb.ccc.4
access-list 20 permit aa.0.0.0 0.255.255.255
access-list 20 deny   any log
access-list 97 remark ACL de management SNMP pour les radius
access-list 97 permit aaa.bbb.ccc.5
access-list 97 permit aaa.bbb.ccc.6
access-list 97 deny   any
access-list 99 remark ACL de management SNMP
access-list 99 permit aaa.bbb.ccc.4
access-list 99 deny   any
!
route-map ADSL-Foo deny 10
match interface FastEthernet0/0
!
route-map ADSL-Foo permit 20
match interface Virtual-Template1 Loopback0
!
snmp-server community .... RO 99
snmp-server community .... RO 97
snmp ifmib ifalias long
!
!
radius-server dead-criteria time 5 tries 4
radius-server host aaa.bbb.ccc.5 auth-port 1812 acct-port 1813 key  
7 ....
radius-server host aaa.bbb.ccc.6 auth-port 1812 acct-port 1813 key  
7 ....
radius-server deadtime 1
!
!
dial-peer cor custom
!
!
!
gateway
!
!
gatekeeper
shutdown
!

Thanks !

/Xavier

More information about the cisco-bba mailing list