[cisco-bba] Multiple vpdn-groups, l2tp and radius...
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Feb 15 12:46:27 EST 2006
Xavier,
you cannot assign the local vpdn-group/virtual-template at user
authentication time, this can only be done when the l2TP session comes
in. The selection is purely based on the tunnel's name (terminate-from
hostname <name> within the vpdn-group). Since you use default
vpdn-groups (no "terminate-from" in the vpdn-group config), all your
sessions will terminate within the group "collecte", the 2nd group is
not used at all.
The destination IP address is not used to select vpdn-groups..
To change this, the LAC (not the LNS) needs to use a different tunnel
name than its hostname, for instance "Tunnel-Client-Auth-ID =
vcollecte", and you configure
vpdn-group vcollecte
accept-dialin
protocol l2tp
virtual-template 2
source-ip aaa.bbb.fa0.1
terminate-from hostname vcollecte
local name tunnel-l2
lcp renegotiation always
no l2tp tunnel authentication
I think you need to enable l2tp tunnel authentication, not 100% sure..
Regarding the address redistribution (even though I think it always a
bad idea to redistribute PPP user's /32 into your IGP directly, please
try to summarize): You need to match against ACLs in your route-map..
You cannot match against interfaces as the users are terminated on
virtual-access interfaces which you cannot use in "match interface")..
oli
Xavier Beaudouin <> wrote on Wednesday, February 15, 2006 6:28 PM:
> Hello there,
>
>
> I am in the process to install an LNS for ADSL L2TP tunnel ending.
>
> I am looking forward a way to provide the right Virtual Template
> provided by a Radius, with a default Virtual Template when a virtual
> template is not provided by the Radius.
>
> Here is Radius entry for user that should use a vpdn-group, but it
> seems I have missed something.... ?
>
> Also in this configuration, I need that some Virtual Template that is
> inherited be exported using ISIS.... Doesn't seesm to works
> anymore... :/
>
> radtest Test2 Test2 127.0.0.1 0 <verysecret>
> Sending Access-Request of id 107 to 127.0.0.1:1812
> User-Name = "Test2"
> User-Password = "Test2"
> NAS-IP-Address = radius1
> NAS-Port = 0
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=107,
> length=161
> Framed-IP-Address = aaa.bbb.fa0.3
> Cisco-AVPair = "vpdn:vpdn-group=vcollecte"
> Framed-Compression = Van-Jacobson-TCP-IP
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Framed-MTU = 1492
> Framed-Routing = None
> Framed-IP-Netmask = 255.255.255.255
> Idle-Timeout = 3600
> Ascend-Client-Primary-DNS = 1.2.3.10
> Ascend-Client-Secondary-DNS = 1.2.2.11
> Tunnel-Type:0 = L2TP
> Tunnel-Medium-Type:0 = IP
> Class = 0x123456789
> Tunnel-Server-Endpoint:0 = "aaa.bbb.lo0.1"
>
More information about the cisco-bba
mailing list