[c-nsp] RE: VPDN & RAIDUS Problems/configurations
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Nov 26 05:49:58 EST 2004
>
> The only think that remain is that I have to globally assigned the
> name of the user that returns the tunnel attributes using the ip host
command
> as below.
>
> ip host vpn 192.168.1.1
Hmm..
> From the debugs I found out that when the LAC radius returns the
> tunnel
> attributs to the LAC, the LAC forwards the attributes to the LNS in
> order to establish the tunnel, but the LNS tries to resolve the host
> name (in my case VPN). In case it does not resolve it, it drops the
tunnel.
you mean the LNS tries to authenticate the tunnel, i.e. find a matching
password for the tunnel name (i.e tunnel-client-auth-id)?
> If I configure it statically on the LNS then everything works fine.
>
> I search Cisco but I did
> not found any documentation to overcome this problem. I disable
> domain-lookup on router without any success. Problem know is that for
> every customer VPN I have to statically configure the names on the LNS
> which is not what we want. We are thinking of create DNS entries on
our DNS,
> but I believe their must be a way to do it on the LNS.
It is common to configure the vpdn tunnel on the LNS statically as you
will use one tunnel between LAC and LNS, and pass all the sessions
through it, no matter which domain they belong to. So in most cases
there is no need for non-local tunnel configuration on the LNS.
All your LAC's profiles will include the same tunnel name and password,
no matter which "domain" your customers belong to, and you'll be all
set.
If you do want to retrieve this via Radius (and I don't think you'd need
to), check out "Tunnel Authentication via RADIUS on Tunnel Terminator"
feature
(http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newf
t/122limit/122b/122b_15/ftunauth.htm)
oli
More information about the cisco-nsp
mailing list