Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
6
Helpful
5
Replies

ISE Use Case in the L2TP Dial-in

Go to solution
Weiborao
Cisco Employee
Cisco Employee

‎08-07-2017 09:10 AM

Dear Experts,

My customer’s requirement is the L2TP VPDN.

They want to deploy a Radius server behind the LAC (L2TP Access Concentrator), which is used to return the LNS (L2TP Network Server) address to the LAC, when L2TP client initiates the Dial-in process.

I heard that this was a standard Radius behavior, and Cisco ACS works well.

Does ISE work in this use case?

Thank you.

Best regards,


Weibo Rao.

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎08-07-2017 01:50 PM

Yes, it should work, but not aware of any specific QA testing on this less common use case.  These are standard RADIUS attributes.  If the default values do not include the attributes specific to L2TP, then you can use the Advanced Attributes section to add custom value settings.  Some example RADIUS attributes shown in example here: Tunnel Authentication via RADIUS on Tunnel Terminator - Cisco

/Craig

View solution in original post

5 Replies 5

Go to solution
Craig Hyps
Level 10
Level 10

‎08-07-2017 01:50 PM

Yes, it should work, but not aware of any specific QA testing on this less common use case.  These are standard RADIUS attributes.  If the default values do not include the attributes specific to L2TP, then you can use the Advanced Attributes section to add custom value settings.  Some example RADIUS attributes shown in example here: Tunnel Authentication via RADIUS on Tunnel Terminator - Cisco

/Craig

Go to solution
Weiborao
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎08-08-2017 06:47 AM

Thank you for your support.

Go to solution
hamidreza.taghipur
Level 1
Level 1
In response to Craig Hyps

‎06-22-2019 08:45 AM

I have cisco router for vpdn server and my clients are windows l2tp connection , and i use cisco ise ( join domain) for radius server and router send aaa to ise . Every thing is ok but radius live log is bad , i have not any clients endpoint address,clients mac address and live session in radius live log , it s show just user authenticatin and authorization users . Please help me .

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-07-2017 03:08 PM

Adding to Craig.

https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/20/GGSN/b_20_GGSN_Admin/b_19_GGSN_Admin_chapter_010011.pdf

mentions

  1. The system determines that the egress context is the destination context based on the configuration of either the Default subscriber's ip-context name or from the SN-VPN-NAME or SN1-VPN-NAME attributes that is configured in the subscriber's RADIUS profile.

I found freeradius/dictionary.starent at master · redBorder/freeradius · GitHub and made a minor change so ISE can import it.

dictionary.starent.txt.zip

Go to solution
Weiborao
Cisco Employee
Cisco Employee
In response to hslai

‎08-08-2017 06:47 AM

Thank you for your support and contribution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents