[nsp] request-dialin, some confusion about it

Victor Sudakov sudakov at sibptus.tomsk.ru
Wed Jan 14 22:23:05 EST 2004


Oliver Boehmer (oboehmer) wrote:
> > > > I have come across an odd thing. Even if there are absolutely no
> > > > request-dialin vpdn-groups defined on a C3662, each time a user
> > > > tries to PPP authenticate as username at some.domain.com, this
> > > > "some.domain.com" is sent to the AAA server in search for a vpdn
> > > > tunnel. 
> > > > 
> > > > Is this normal behavior ?
> > > 
> > > It is if you configured "aaa authorization network default radius
> > > ..." and "vpdn enable".
> > 
> > Yes, the router is configured as you said.
> > 
> > > If you only want to authorize your vpdn users locally
> > > using vpdn groups, you'd need to enable "aaa authorization network
> > > default local" and use a different aaa method list for your ppp
> > > users. 
> > 
> > I see. Is this documented anywhere? Because
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
> dialns_c/dnsprt3/dcdvpn.htm
> > gives the impression that defining a request-dialin vpdn-group is
> > required for LAC operation.
> 
> well, I somewhat agree, the document (which is somewhat outdated as it
> still uses the old syntax) could elaborate a bit more on this
> difference. 
>  
> > However, I would prefer to use the default method list for the regular
> > ppp users and a different aaa method list for the NAS AAA Tunnel
> > Definition Lookup (I guess that's what it's called). Do you think this
> > is possible?
> 
> No, unfortunately it is not. vpdn will always use the default network
> authorization method. 

Could you also please tell how I should specify several redundant home
gateways with different priorities, using RADIUS authorization?

The only paper I could find about RADIUS Authentication for VPDNs is
http://www.cisco.com/warp/public/480/vpdn_rad.html

but it does not answer my question.

Now I have in my users file:

tsu.ru Password = "cisco"
        Tunnel-Server-Endpoint = x.x.x.x,
        Tunnel-Type = L2TP

What attributes should I add to have several endpoints with different
priorities (I use dictionary.tunnel from radiusd-cistron-1.6.6)?

Thanks a lot for all your help.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN


More information about the cisco-nsp mailing list