[c-nsp] VPDN multihop/forwarding not working
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Feb 1 04:14:49 EST 2013
>
>Thanks Oli,
>
>>
>> sorry for not mentioning it, but the command needs to be applied to the
>> vtemplate referenced in the vpdn-group which terminates the original
>>L2TP
>> tunnel from the LAC. You might want to consider putting this on all
>> vtemplates, as this could avoid quite a few Radius requests in case the
>> other user names contain realms (@domain).
>>
>
>
>As we terminate a lot of other realms from various LAC's - Adding this
>wont break any of the existing realms? (We have a number of vtemplates,
>and vpdn groups as we already use a number of different realms.....but
>they are all locally terminated on this LNS)
Well, have you defined any of these other realms on the Radius server
(with the static "cisco" password)? If you don't, and if you don't have a
vpdn-group with a "request-dialin" matching their realm, nothing will
break, adding the "vpdn authorization .." on those vtemplates will just
make sure the LNS no longer sends these Radius requests (with the
domain).. have you checked the Radius traces since you enabled vpdn
multihop? If you have users with "@" or "/" on other vpdn-groups, you will
see those?
>
>
>
>So I need to:
>
>
>Add;
>
>
>vpdn authorization LOCAL_AUTH
>
>
>
>under the virtual template referenced on the vpdn-groups this "new" realm
>will use, and for this "new" realm our LNS should then create an L2TP
>tunnel to the "initiate-to ip" under the vpdn conf for the new realm?
>
>
>
yes. I think you can put both functions (accept-dialin and request-dialin)
in the same vpdn-group? as I said, my vpdn skills are rusty..
oli
More information about the cisco-nsp
mailing list