[nsp] request-dialin, some confusion about it
Victor Sudakov
sudakov at sibptus.tomsk.ru
Wed Jan 14 22:23:05 EST 2004
Oliver Boehmer (oboehmer) wrote:
> > > > I have come across an odd thing. Even if there are absolutely no
> > > > request-dialin vpdn-groups defined on a C3662, each time a user
> > > > tries to PPP authenticate as username at some.domain.com, this
> > > > "some.domain.com" is sent to the AAA server in search for a vpdn
> > > > tunnel.
> > > >
> > > > Is this normal behavior ?
> > >
> > > It is if you configured "aaa authorization network default radius
> > > ..." and "vpdn enable".
> >
> > Yes, the router is configured as you said.
> >
> > > If you only want to authorize your vpdn users locally
> > > using vpdn groups, you'd need to enable "aaa authorization network
> > > default local" and use a different aaa method list for your ppp
> > > users.
> >
> > I see. Is this documented anywhere? Because
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
> dialns_c/dnsprt3/dcdvpn.htm
> > gives the impression that defining a request-dialin vpdn-group is
> > required for LAC operation.
>
> well, I somewhat agree, the document (which is somewhat outdated as it
> still uses the old syntax) could elaborate a bit more on this
> difference.
>
> > However, I would prefer to use the default method list for the regular
> > ppp users and a different aaa method list for the NAS AAA Tunnel
> > Definition Lookup (I guess that's what it's called). Do you think this
> > is possible?
>
> No, unfortunately it is not. vpdn will always use the default network
> authorization method.
Could you also please tell how I should specify several redundant home
gateways with different priorities, using RADIUS authorization?
The only paper I could find about RADIUS Authentication for VPDNs is
http://www.cisco.com/warp/public/480/vpdn_rad.html
but it does not answer my question.
Now I have in my users file:
tsu.ru Password = "cisco"
Tunnel-Server-Endpoint = x.x.x.x,
Tunnel-Type = L2TP
What attributes should I add to have several endpoints with different
priorities (I use dictionary.tunnel from radiusd-cistron-1.6.6)?
Thanks a lot for all your help.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
More information about the cisco-nsp
mailing list