[cisco-bba] AAA & VPDN (Tunnel-Client-Endpoint)

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Aug 16 00:05:28 EDT 2007


Euan Galloway <> wrote on Wednesday, August 15, 2007 11:26 PM:

> On Thu, May 03, 2007 at 05:12:32PM +0900, Denis V. Schapov wrote:
>> Hi.
>> 
>> Is it possible to get radius attribute 66, Tunnel-Client-Endpoint or
>> it's value on another attribute for incoming VPDN (L2TP, PPTP)
>> connections to LNS in Radius authentication requests for ppp/network
>> authentication/authorization ? 
>> Currently this attribute is present only in accounting
>> start/stop/alive. 
>> LNS is running 12.2(31)SB3x
>> Tunnel authentication is disabled.
> 
> Hmm. Worrying when you google for the answer to this and all
> you find is something else asking it.
> 
> Anyone in cisco-bba know?
> Trying to get Tunnel-Client-Endpoint (attribute 66) information (even
> if actually in another attribute) in the RADIUS Access-Request so
> that it can be used in the decision making process. By the time it
> arrives in 
> the Start Accounting it's too late.
> 
> vpdn questions seem to be pretty randomly distributed between
> cisco-bba, cisco-nas and cisco-nsp, but I thought I'd take a punt in
> here. 

there could be more elegant ways of doing this with ISG, but in "legacy"
vpdn code, you can address this using "vpdn aaa attribute nas-ip-address
vpdn-nas" on the LNS. this changes the NAS-IP-Address to the LAC's
address, which could help you. It's not a perfect solution, though..

	oli


More information about the cisco-bba mailing list