[cisco-nas] VPDN - authen-before-forward
Jaco Engelbrecht
bje at serendipity.org.za
Thu May 5 15:21:33 EDT 2005
Hi,
We're busy consolidating two major dial-up providers' infrastructure into one dial-up infrastructure, and are stuck with a VPDN problem.
The one ISP used 'vpdn authen-before-forward' in the global IOS configuration for a Per User VPDN product, and the other ISP used realm and DNIS based VPDN authentication in RADIUS (which relies on the realm/dnis:5555 usernames to be sent through in RADIUS access request packets).
With our various testing, if we enable 'vpdn authen-before-forward' in the global IOS configuration, the realm and DNIS based VPDN authentication does not work, because the 'vpdn authen-before-forward' command instructs the NAS (LAC) to authenticate the complete username before it makes a forwarding decision. The Cisco solution is to make use of vpdn-groups on the NASs, with either realm (domain) or DNIS routing per VPDN group. That's not really scalable over 120+ NASs, and having over 250 VPDN domain/DNIS groups...
I have found a way to make both products work, leaving the 'vpdn authen-before-forward' in the global IOS configuration for Per User VPDNs, and changing the way the DNIS and Realm based VPDN RADIUS config works.
Previous DNIS based VPDN RADIUS configuration:-
dnis:2144510 User-Password == "cisco"
Service-Type = Outbound-User,
Cisco-AVPair = "vpdn:ip-addresses=172.22.36.129",
Cisco-AVPair += "vpdn:tunnel-id=ffgtwd",
Cisco-AVPair += "vpdn:tunnel-type=l2tp",
Cisco-AVPair += "vpdn:l2tp-tunnel-password=MIO4y5az"
New way to do it with FreeRADIUS:-
DEFAULT Called-Station-Id =~ "2144510$", Auth-Type := Accept
Service-Type = Outbound-User,
Cisco-AVPair = "vpdn:ip-addresses=172.22.36.129",
Cisco-AVPair += "vpdn:tunnel-id=ffgtwd",
Cisco-AVPair += "vpdn:tunnel-type=l2tp",
Cisco-AVPair += "vpdn:l2tp-tunnel-password=MIO4y5az"
Previous Realm based VPDN RADIUS configuration:-
serendipity User-Password == "cisco"
Service-Type = Outbound-User,
Cisco-AVPair = "vpdn:ip-addresses=172.22.36.129",
Cisco-AVPair += "vpdn:tunnel-id=ffgtwd",
Cisco-AVPair += "vpdn:tunnel-type=l2tp",
Cisco-AVPair += "vpdn:l2tp-tunnel-password=MIO4y5az"
New way to do it with FreeRADIUS:-
DEFAULT Suffix =~ "@serendipity$", Auth-Type := Accept
Service-Type = Outbound-User,
Cisco-AVPair = "vpdn:ip-addresses=172.22.36.129",
Cisco-AVPair += "vpdn:tunnel-id=ffgtwd",
Cisco-AVPair += "vpdn:tunnel-type=l2tp",
Cisco-AVPair += "vpdn:l2tp-tunnel-password=MIO4y5az"
Any comments/suggestions is welcome, perhaps there is better way to do this?
Cheers,
Jaco
--
bje at serendipity.org.za
the faculty of making fortunate discoveries
More information about the cisco-nas
mailing list