[c-nsp] assigning pptp users to specific vpdn groups (orvirtual-templates)

Mon Aug 6 20:25:08 EDT 2007

oli,
thanks much.  the "lcp:interface-config=<cmd>" attribute is just what I was
looking for.  my goal is to simply be able to segregate users into different
classes, with the initial goal being one for engineers (they have direct
access to server networks) and the other for business folk (they can only
access internal web sites).  using the above radius attribute that you
provided I can assign specific ACLs on a per-user (or group) basis.  unless
there's a better way to do this, I think this will do fine.

-roy

On 8/5/07, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>
> Roy Blamski <> wrote on Friday, August 03, 2007 8:53 PM:
>
> > I'm currently using the following setup on a 2851 (12.4) for incoming
> > pptp connections:
> >
> > vpdn-group pptp-dialin
> > ! Default PPTP VPDN group
> >  description PPTP dialin users
> >  accept-dialin
> >   protocol pptp
> >   virtual-template 1
> >
> > interface Virtual-Template1
> >  ip unnumbered GigabitEthernet0/0
> >  ip nat inside
> >  ip virtual-reassembly
> >  peer default ip address pool pptp-pool
> >  ppp encrypt mppe auto
> >  ppp authentication ms-chap-v2 ms-chap
> >
> > auth is done via a radius server.  i can assign users to specific
> > address pools via:
> >
> > Cisco-AVPair := "ip:addr-pool=pptp-pool"
> >
> > but is there a way to assign them to different virtual templates?  I
> > had thought that this would do the trick:
> > Cisco-AVPair := "vpdn:vpdn-vtemplate=10"
> >
> > but it doesn't seem to work (i did have a virtual-template10).  is
> > what i want to do possible?
>
> currently, the only option is to split this up into different
> vpdn-groups by using the "terminate-from hostname <name>" command within
> the vpdn-group and have the LAC assign a different tunnel hostname for
> each session.
>
> You cannot do this on a per-user basis on the LNS, as the choice of
> vtemplate also defines the authentication type, so once you authenticate
> the user, the vtemplate selection has already been made. So unless you
> own the LAC (or have the LAC ask your AAA server), doing this on a
> per-user basis is tricky :-|
>
> The "vpdn:vpdn-vtemplate" is essentially the same, this is used as part
> of the LNS tunnel authorization feature which basically replaces a
> static vpdn-group configuration on the LNS by a dynamic Radius solution.
>
> What are you trying to accomplish? You can apply arbitrary interface
> configuration commands during the user authorization phase
> ("lcp:interface-config=<cmd>"), so apart from authentication, you should
> be able to set up the resulting virtual-access interface as you desire,
> even if you use a common vtemplate.
>
> I'm not up to date with recent Intelligent Service Gateway (ISG)
> functionality in 12.2SB, maybe there are options with the new
> infrastructure there.
>
>         oli
>