[cisco-nas] VPDN Problems

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Dec 10 02:06:34 EST 2003


Daniel,

> > use "vpdn authen-before-forward", and just pass the tunnel
> > attributes in the AAA profile. So just like the way
> > authen-before-forward works on the NAS/LAC, if IOS finds tunnel
> > attributes, it forwards the session, if it doesn't, it terminates
> > the user locally. 
> 
> Is there a way to configure that statically in IOS? Or does this
> forwarding configuration _has_ to come via RADIUS?

No, not yet. Currently per-user vpdn information needs to come from AAA.
See also
http://www.cisco.com/warp/public/793/access_dial/vpdn-username.shtml

Please note that globally enabling "vpdn authen-before-forward" changes
the way the LAC authorizes vpdn users as it no longer tries to authorize
the domain, it rather forwards the full username (user at domain.com) to
Radius. You can also enable authen-before-forward within a vpdn-group
(selected on DNIS, so not all sessions are subject to per-user
authorization.

	oli



More information about the cisco-nas mailing list