[c-nsp] mpls option A with LAC and LNS
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Jul 28 01:58:59 EDT 2008
Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:
> Hi,
>
> Need help to resolve the below situation. The scenario of LAC / LNS
> and mpls option A -
>
> In case, the customer belong to the ISP dials and latch in the same
> ISP (i.e. using ISP infrastructure), I can authenticate (since they
> will latch on LNS, a radius client), using radius and radius will
> return certain attribute including vrf / pool name etc. and then
> customer will go to it's own vrf and to it's own network.
>
> But in my case, customers come from other ISP domain (dialing and
> coming on their lac) and we are using back to back vrf to connect LAC
> and LNS. Now the problem is, how to authenticate the users and return
> vrf and ip pool name from the radius as LNS can not act as radius
> client now. The only option I can see is to forward the fraffic to
> firewall, which can act as radius client and query to radius server,
> radius server can inturn return the vlan which can be mapped to
> respective vrf.
you can use vrf-aware Radius to send Radius the radius requests within
the VRF (which, I think, solves your problem, but I'm not sure I
entirely understood your topology):
aaa authentication ppp VRFCUST group VRFGROUP
aaa authorization network VRFCUST group VRFGROUP
aaa accounting network VRFCUST group VRFGROUP
!
aaa group server radius VRFGROUP
server-private x.x.x.x key zzzzz
ip radius source-interface ...
ip vrf forwarding <vrf-name>
!
int virtual-template1
ppp authentication chap pap VRFCUST
ppp authorization VRFCUST
ppp accounting VRFCUST
However: The L2TP packets also arrive within a VRF, so you need to use
vrf-aware vpdn as well (specifiy "vpn vrf <name>" in your vpdn-group).
hope this helps..
oli
More information about the cisco-nsp
mailing list