[cisco-nas] VPDN - authen-before-forward

Jaco Engelbrecht bje at serendipity.org.za
Thu May 5 15:21:33 EDT 2005 

Hi,

We're busy consolidating two major dial-up providers' infrastructure into one dial-up infrastructure, and are stuck with a VPDN problem.

The one ISP used 'vpdn authen-before-forward' in the global IOS configuration for a Per User VPDN product, and the other ISP used realm and DNIS based VPDN authentication in RADIUS (which relies on the realm/dnis:5555 usernames to be sent through in RADIUS access request packets).

With our various testing, if we enable 'vpdn authen-before-forward' in the global IOS configuration, the realm and DNIS based VPDN authentication does not work, because the 'vpdn authen-before-forward' command instructs the NAS (LAC) to authenticate the complete username before it makes a forwarding decision.  The Cisco solution is to make use of vpdn-groups on the NASs, with either realm (domain) or DNIS routing per VPDN group.  That's not really scalable over 120+ NASs, and having over 250 VPDN domain/DNIS groups...

I have found a way to make both products work, leaving the 'vpdn authen-before-forward' in the global IOS configuration for Per User VPDNs, and changing the way the DNIS and Realm based VPDN RADIUS config works.


Previous DNIS based VPDN RADIUS configuration:-

dnis:2144510    User-Password == "cisco"
                Service-Type = Outbound-User,
                Cisco-AVPair = "vpdn:ip-addresses=172.22.36.129",
                Cisco-AVPair += "vpdn:tunnel-id=ffgtwd",
                Cisco-AVPair += "vpdn:tunnel-type=l2tp",
                Cisco-AVPair += "vpdn:l2tp-tunnel-password=MIO4y5az"

New way to do it with FreeRADIUS:-

DEFAULT         Called-Station-Id =~ "2144510$", Auth-Type := Accept
                Service-Type = Outbound-User,
                Cisco-AVPair = "vpdn:ip-addresses=172.22.36.129",
                Cisco-AVPair += "vpdn:tunnel-id=ffgtwd",
                Cisco-AVPair += "vpdn:tunnel-type=l2tp",
                Cisco-AVPair += "vpdn:l2tp-tunnel-password=MIO4y5az"


Previous Realm based VPDN RADIUS configuration:-

serendipity  	User-Password == "cisco"
                Service-Type = Outbound-User,
                Cisco-AVPair = "vpdn:ip-addresses=172.22.36.129",
                Cisco-AVPair += "vpdn:tunnel-id=ffgtwd",
                Cisco-AVPair += "vpdn:tunnel-type=l2tp",
                Cisco-AVPair += "vpdn:l2tp-tunnel-password=MIO4y5az"

New way to do it with FreeRADIUS:-

DEFAULT         Suffix =~ "@serendipity$", Auth-Type := Accept
                Service-Type = Outbound-User,
                Cisco-AVPair = "vpdn:ip-addresses=172.22.36.129",
                Cisco-AVPair += "vpdn:tunnel-id=ffgtwd",
                Cisco-AVPair += "vpdn:tunnel-type=l2tp",
                Cisco-AVPair += "vpdn:l2tp-tunnel-password=MIO4y5az"

Any comments/suggestions is welcome, perhaps there is better way to do this?

Cheers,
Jaco
-- 
bje at serendipity.org.za
the faculty of making fortunate discoveries

More information about the cisco-nas mailing list