[c-nsp] multiple aaa group for multiple LNS vpdn-group

Gert Doering gert at greenie.muc.de
Thu Jun 7 06:19:59 EDT 2012


Hi,

On Thu, Jun 07, 2012 at 10:57:06AM +0800, ar wrote:
> Is it possible to have different AAA config on my LNS such that,
> 
> vpdn-group1 is using radius server 1 for my old LAC access network
> 
> 
> I'll then create vpnd-group2 for my new LAC access network but will authenticate on radius server 2.
> 
> 
> Is there a way to do this?

Yes.

> AAA seems to be configured globally.

Indeed it is, but you can "name" authentication groups, and point to that.

The default is "aaa authentication ppp *default*", but if you don't want
that, use a named authentication list:

PPPoE-Test(config)#aaa authentication ppp NEW group ?
  WORD     Server-group name
  radius   Use list of all Radius hosts.
  tacacs+  Use list of all Tacacs+ hosts.
PPPoE-Test(config)#aaa authentication ppp NEW group NEWRADIUS?

and then define your radius group accordingly...

PPPoE-Test(config)#aaa group server radius NEWRADIUS 
PPPoE-Test(config-sg-radius)#server-private 1.2.3.4 key SECRET 

> I want to create multiple aaa-groups and apply to specific vpnd-group that I want.

... and reference the named PPP authentication from the virtual-template
that is used for *that* vpdn-group:

PPPoE-IPv6-Test(config)#int virtual-template 3
PPPoE-IPv6-Test(config-if)#ppp authentication chap NEW
                                                   ^^^
PPPoE-IPv6-Test(config-if)#ppp authorization NEW
                                             ^^^

(and if it doesn't work, try "debug ppp authen" and "debug aaa" to see
which bit I missed)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20120607/2344c730/attachment.sig>


More information about the cisco-nsp mailing list