[nsp] request-dialin, some confusion about it
Victor Sudakov
sudakov at sibptus.tomsk.ru
Wed Jan 14 10:08:21 EST 2004
Oliver Boehmer (oboehmer) wrote:
>
> > I have come across an odd thing. Even if there are absolutely no
> > request-dialin vpdn-groups defined on a C3662, each time a user tries
> > to PPP authenticate as username at some.domain.com, this
> > "some.domain.com" is sent to the AAA server in search for a vpdn
> > tunnel.
> >
> > Is this normal behavior ?
>
> It is if you configured "aaa authorization network default radius ..."
> and "vpdn enable".
Yes, the router is configured as you said.
> If you only want to authorize your vpdn users locally
> using vpdn groups, you'd need to enable "aaa authorization network
> default local" and use a different aaa method list for your ppp users.
I see. Is this documented anywhere? Because
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/dialns_c/dnsprt3/dcdvpn.htm
gives the impression that defining a request-dialin vpdn-group is
required for LAC operation.
However, I would prefer to use the default method list for the regular
ppp users and a different aaa method list for the NAS AAA Tunnel
Definition Lookup (I guess that's what it's called). Do you think this
is possible?
>
> > Yet another question. When the NAS contacts the Radius server looking
> > for a tunnel, it sends "some.domain.com" as username and "cisco" as
> > password. Is there a way to change this default "cisco" password?
>
> Hmm, not that I know of, but I might be wrong.
Thanks a lot for replying.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
More information about the cisco-nsp
mailing list