[nsp] request-dialin, some confusion about it

Victor Sudakov sudakov at sibptus.tomsk.ru
Wed Jan 14 10:08:21 EST 2004


Oliver Boehmer (oboehmer) wrote:
> 
> > I have come across an odd thing. Even if there are absolutely no
> > request-dialin vpdn-groups defined on a C3662, each time a user tries
> > to PPP authenticate as username at some.domain.com, this
> > "some.domain.com" is sent to the AAA server in search for a vpdn
> > tunnel. 
> > 
> > Is this normal behavior ?
> 
> It is if you configured "aaa authorization network default radius ..."
> and "vpdn enable". 

Yes, the router is configured as you said. 

> If you only want to authorize your vpdn users locally
> using vpdn groups, you'd need to enable "aaa authorization network
> default local" and use a different aaa method list for your ppp users.

I see. Is this documented anywhere? Because
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/dialns_c/dnsprt3/dcdvpn.htm
gives the impression that defining a request-dialin vpdn-group is
required for LAC operation.

However, I would prefer to use the default method list for the regular
ppp users and a different aaa method list for the NAS AAA Tunnel
Definition Lookup (I guess that's what it's called). Do you think this
is possible? 

> 
> > Yet another question. When the NAS contacts the Radius server looking
> > for a tunnel, it sends "some.domain.com" as username and "cisco" as
> > password. Is there a way to change this default "cisco" password?
> 
> Hmm, not that I know of, but I might be wrong.

Thanks a lot for replying.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN


More information about the cisco-nsp mailing list