[cisco-nas] LNS with 7202 : how to associate a VLAN to a Radius account ?

Xavier Beaudouin kiwi at oav.net
Wed Jan 25 04:25:35 EST 2006


Hi there,

This is my first message here so be gentle if I ask something that  
have already a reply.

Our setup is pretty simple but we'd like to push some user account  
into specific VLAN to "protect" them with a firewall.

Idealy we like vlan to be chosen by radius attribute (which one ?),  
even if it needs some local configuration (virtual interface, ....).

Any hint idea or good pointer to look around ?

Current  configuration (ip and passowrd are censored to protect the  
innoncent) ::

Current configuration : 4074 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname lns-1
!
boot-start-marker
boot system flash disk0:c7200-js-mz.123-17a.bin
boot-end-marker
!
logging queue-limit 100
logging buffered 4096 debugging
no logging console
enable secret XXXXXXXXXXXX
enable password xxxxxxxxxxxx
!
clock timezone FRANCE 1
clock summer-time FRANCE recurring last Sun Mar 3:00 last Sun Sep 3:00
syscon address xxxxxxxxxx 150498
syscon shelf-id 0
aaa new-model
!
!
aaa group server radius ADSL
server xxx.xxx.xxx.5 auth-port 1812 acct-port 1813
server xxx.xxx.xxx.6 auth-port 1812 acct-port 1813
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp ADSL group ADSL
aaa authorization config-commands
aaa authorization exec default local
aaa authorization network ADSL group ADSL
aaa accounting delay-start
aaa accounting network ADSL start-stop group ADSL
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip telnet source-interface GigabitEthernet1/0.850
!
!
no ip bootp server
ip cef
vpdn enable
vpdn source-ip xxx.xxx.xxx.1
vpdn search-order domain
vpdn domain-delimiter @ suffix
!
vpdn-group collecte
! Default L2TP VPDN group
accept-dialin
   protocol l2tp
   virtual-template 1
source-ip xxx.xxx.xxx.1
local name tunnel-adsl
lcp renegotiation always
no l2tp tunnel authentication
!
clns routing
!
!
interface Loopback0
description Loopback de test
ip address xxx.xxx.xxx.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface GigabitEthernet1/0
description NetIron Eth50
no ip address
negotiation auto
!
interface GigabitEthernet1/0.850
description COLLECTE_ADSL
encapsulation dot1Q 850
ip address bbb.bbb.bbb.xxx 255.255.255.248
ip router isis
no snmp trap link-status
tag-switching ip
clns router isis
!
interface GigabitEthernet2/0
ip address aaa.aaa.aaa.aaa 255.255.255.252
negotiation auto
!
interface POS3/0
no ip address
shutdown
!
interface Virtual-Template1
description Virtual-Templace ARRIVEE DSL GENERAL PHASE 1
ip unnumbered Loopback0
ip mtu 1492
ip tcp adjust-mss 1420
peer default ip address pool l2tp
ppp authentication chap pap callin ADSL
ppp authorization ADSL
ppp accounting ADSL
!
router isis
net 49........
ip fast-convergence
log-adjacency-changes
redistribute connected level-1-2
redistribute static ip
!
ip local pool l2tp ccc.ccc.ccc.0 ccc.ccc.ccc.255
ip classless
no ip http server
ip http access-class 20
!
!
logging trap debugging
logging source-interface GigabitEthernet1/0.850
logging xxx.xxx.xxx.xxx
access-list 20 permit xx.xxx.xxx.xxx 0.255.255.255
access-list 20 deny   any log
access-list 97 remark ACL de management SNMP pour les radius
access-list 97 permit xxx.xxx.xxx.5
access-list 97 permit xxx.xxx.xxx.6
access-list 97 deny   any
access-list 99 remark ACL de management SNMP
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 deny   any
!
snmp-server community xxxxxxxxx RO 99
snmp-server community xxxxxxxxx RO 97
snmp ifmib ifalias long
!
!
radius-server host xxx.xxx.xxx.5 auth-port 1812 acct-port 1813 key  
@consored@
radius-server host xxx.xxx.xxx.6 auth-port 1812 acct-port 1813 key  
@consored@
!
!
dial-peer cor custom
!
!
!
gateway
!
!
gatekeeper
shutdown
!
!
line con 0
transport output all
stopbits 1
line aux 0
transport output all
stopbits 1
line vty 0 4
password @consored@
transport input all
transport output all
!
!
end

Any idea on how to make it work simple and flexible (some users will  
be directly connected, others will have to use firewall on a  
sepecific vlan).

Thanks !

/Xavier


More information about the cisco-nas mailing list