[cisco-bba] Multiple vpdn-groups, l2tp and radius...

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Feb 15 12:46:27 EST 2006 

Xavier,

you cannot assign the local vpdn-group/virtual-template at user
authentication time, this can only be done when the l2TP session comes
in. The selection is purely based on the tunnel's name (terminate-from
hostname <name> within the vpdn-group). Since you use default
vpdn-groups (no "terminate-from" in the vpdn-group config), all your
sessions will terminate within the group "collecte", the 2nd group is
not used at all.
The destination IP address is not used to select vpdn-groups..

To change this, the LAC (not the LNS) needs to use a different tunnel
name than its hostname, for instance "Tunnel-Client-Auth-ID =
vcollecte", and you configure

vpdn-group vcollecte
 accept-dialin
   protocol l2tp
   virtual-template 2
 source-ip aaa.bbb.fa0.1
 terminate-from hostname vcollecte
 local name tunnel-l2
 lcp renegotiation always
 no l2tp tunnel authentication

I think you need to enable l2tp tunnel authentication, not 100% sure..

Regarding the address redistribution (even though I think it always a
bad idea to redistribute PPP user's /32 into your IGP directly, please
try to summarize): You need to match against ACLs in your route-map..
You cannot match against interfaces as the users are terminated on
virtual-access interfaces which you cannot use in "match interface")..

	oli

Xavier Beaudouin <> wrote on Wednesday, February 15, 2006 6:28 PM:

> Hello there,
> 
> 
> I am in the process to install an LNS for ADSL L2TP tunnel ending.
> 
> I am looking forward a way to provide the right Virtual Template
> provided by a Radius, with a default Virtual Template when a virtual
> template is not provided by the Radius.
> 
> Here is Radius entry for user that should use a vpdn-group, but it
> seems I have missed something.... ?
> 
> Also in this configuration, I need that some Virtual Template that is
> inherited be exported using ISIS.... Doesn't seesm to works
> anymore... :/
> 
> radtest Test2 Test2 127.0.0.1 0 <verysecret>
> Sending Access-Request of id 107 to 127.0.0.1:1812
>          User-Name = "Test2"
>          User-Password = "Test2"
>          NAS-IP-Address = radius1
>          NAS-Port = 0
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=107,
> length=161
>          Framed-IP-Address = aaa.bbb.fa0.3
>          Cisco-AVPair = "vpdn:vpdn-group=vcollecte"
>          Framed-Compression = Van-Jacobson-TCP-IP
>          Framed-Protocol = PPP
>          Service-Type = Framed-User
>          Framed-MTU = 1492
>          Framed-Routing = None
>          Framed-IP-Netmask = 255.255.255.255
>          Idle-Timeout = 3600
>          Ascend-Client-Primary-DNS = 1.2.3.10
>          Ascend-Client-Secondary-DNS = 1.2.2.11
>          Tunnel-Type:0 = L2TP
>          Tunnel-Medium-Type:0 = IP
>          Class = 0x123456789
>          Tunnel-Server-Endpoint:0 = "aaa.bbb.lo0.1"
>

More information about the cisco-bba mailing list