[c-nsp] assigning pptp users to specific vpdn groups (orvirtual-templates)

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Aug 7 02:11:07 EDT 2007 

Roy,
 
a more elegant way to assign per-user access-lists is to use the AVPs
"ip:inacl" and "ip:outacl". Then you can even define the access-list
entries themselves on the Radius server. Take a look at
http://www.cisco.com/en/US/docs/ios/12_0/dial/configuration/guide/dcperu
sr.html for some examples.
 
    oli

________________________________

From: Roy Blamski [mailto:roy at santaba.com] 
Sent: Tuesday, August 07, 2007 2:25 AM
To: Oliver Boehmer (oboehmer)
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] assigning pptp users to specific vpdn groups
(orvirtual-templates)


oli,
thanks much.  the "lcp:interface-config=<cmd>" attribute is just what I
was looking for.  my goal is to simply be able to segregate users into
different classes, with the initial goal being one for engineers (they
have direct access to server networks) and the other for business folk
(they can only access internal web sites).  using the above radius
attribute that you provided I can assign specific ACLs on a per-user (or
group) basis.  unless there's a better way to do this, I think this will
do fine. 

-roy


On 8/5/07, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote: 

	Roy Blamski <> wrote on Friday, August 03, 2007 8:53 PM:
	
	> I'm currently using the following setup on a 2851 (12.4) for
incoming
	> pptp connections:
	>
	> vpdn-group pptp-dialin
	> ! Default PPTP VPDN group 
	>  description PPTP dialin users
	>  accept-dialin
	>   protocol pptp
	>   virtual-template 1
	>
	> interface Virtual-Template1
	>  ip unnumbered GigabitEthernet0/0
	>  ip nat inside 
	>  ip virtual-reassembly
	>  peer default ip address pool pptp-pool
	>  ppp encrypt mppe auto
	>  ppp authentication ms-chap-v2 ms-chap
	>
	> auth is done via a radius server.  i can assign users to
specific 
	> address pools via:
	>
	> Cisco-AVPair := "ip:addr-pool=pptp-pool"
	>
	> but is there a way to assign them to different virtual
templates?  I
	> had thought that this would do the trick: 
	> Cisco-AVPair := "vpdn:vpdn-vtemplate=10"
	>
	> but it doesn't seem to work (i did have a virtual-template10).
is
	> what i want to do possible?
	
	currently, the only option is to split this up into different 
	vpdn-groups by using the "terminate-from hostname <name>"
command within
	the vpdn-group and have the LAC assign a different tunnel
hostname for
	each session.
	
	You cannot do this on a per-user basis on the LNS, as the choice
of 
	vtemplate also defines the authentication type, so once you
authenticate
	the user, the vtemplate selection has already been made. So
unless you
	own the LAC (or have the LAC ask your AAA server), doing this on
a
	per-user basis is tricky :-|
	
	The "vpdn:vpdn-vtemplate" is essentially the same, this is used
as part
	of the LNS tunnel authorization feature which basically replaces
a
	static vpdn-group configuration on the LNS by a dynamic Radius
solution. 
	
	What are you trying to accomplish? You can apply arbitrary
interface
	configuration commands during the user authorization phase
	("lcp:interface-config=<cmd>"), so apart from authentication,
you should 
	be able to set up the resulting virtual-access interface as you
desire,
	even if you use a common vtemplate.
	
	I'm not up to date with recent Intelligent Service Gateway (ISG)
	functionality in 12.2SB, maybe there are options with the new 
	infrastructure there.
	
	        oli

More information about the cisco-nsp mailing list