[nsp] request-dialin, some confusion about it
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Jan 14 11:52:08 EST 2004
> > > I have come across an odd thing. Even if there are absolutely no
> > > request-dialin vpdn-groups defined on a C3662, each time a user
> > > tries to PPP authenticate as username at some.domain.com, this
> > > "some.domain.com" is sent to the AAA server in search for a vpdn
> > > tunnel.
> > >
> > > Is this normal behavior ?
> >
> > It is if you configured "aaa authorization network default radius
> > ..." and "vpdn enable".
>
> Yes, the router is configured as you said.
>
> > If you only want to authorize your vpdn users locally
> > using vpdn groups, you'd need to enable "aaa authorization network
> > default local" and use a different aaa method list for your ppp
> > users.
>
> I see. Is this documented anywhere? Because
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
dialns_c/dnsprt3/dcdvpn.htm
> gives the impression that defining a request-dialin vpdn-group is
> required for LAC operation.
well, I somewhat agree, the document (which is somewhat outdated as it
still uses the old syntax) could elaborate a bit more on this
difference.
> However, I would prefer to use the default method list for the regular
> ppp users and a different aaa method list for the NAS AAA Tunnel
> Definition Lookup (I guess that's what it's called). Do you think this
> is possible?
No, unfortunately it is not. vpdn will always use the default network
authorization method.
oli
More information about the cisco-nsp
mailing list