[c-nsp] Problem with L2TP !!
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Apr 1 11:08:21 EDT 2009
> Dear friends!
>
> I am trying to establish a L2TP tunnel between a LAC (Which is also
> Acting as BRAS) and LNS (Which is also acting as BRAS).
>
> User ---------[Cisco 3640 LAC]----- IP Cloud-------[Cisco 3845 LNS]
>
> The problem I am facing is that the scenario is working fine as long
> as I am using user account created locally on LNS. However as soon
> as I enable radius parameters, LAC stops establishing tunnel with LNS
> and connects the user on LAC as pppoe user. After investigation I
> have found that If I remove following line from the configuration
> L2TP Tunnels works perfectly fine;
> aaa authorization network default group radius
>
> Can someone tell me Why its happening?? Since I am using @domain in
> user ids for L2TP users, LAC should not even refer to Radius. And I
> need this aaa authorization parameter since both my LAC and LNS also
> have PPPoE users terminated on them.
well, you need to decide whether you want to authorize via Radius or
not. If you are using domains, you can define
cybernet Password = "cisco"
Service-Type = Outbound-User,
cisco-avpair = "vpdn:tunnel-id=DSL-LNS",
cisco-avpair = "vpdn:tunnel-type=l2tp",
cisco-avpair = "vpdn:ip-addresses=1.1.1.1",
cisco-avpair = "vpdn:source-ip=2.2.2.2"
Once you configure vpdn multihop (turning the LNS into a LAC), the node
will perform network authorization for all connections, including for
users with domains. There is a special authorization for domains where
the domain will be authorized with Radius (using the fixed "cisco"
password), and if the profile exists, the LAC/LNS will search for tunnel
information and forward the session (if found).
If there is no domain/tunnel profile, the LAC/LNS will authorize the
full username to terminate the session locally.
Hope this helps..
oli
More information about the cisco-nsp
mailing list