cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
776
Views
0
Helpful
3
Replies

multi LNS server IP balanced by ISE response

Weiborao
Cisco Employee
Cisco Employee

Hi, Dear ISE Experts

My customer have L2TP authentication requirement, need ISE to return LNS server IP to LAC. Customer have multiple LNS servers, hope ISE can return LNS server IP with round robin. Does ISE support it?

If not support round robin, does ISE support returning multiple LNS IP addresses to the LAC ?

BTW, all LAC authentication will use same user name with no password.(or we can say no authentication required)

Thanks

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Please consult with the support teams for the network device platform as to the specifics to return from a RADIUS server.

For instance, VPDN Configuration Guide, Cisco IOS Release 12.4 - Configuring AAA for VPDNs [Cisco IOS Software Releases 12.4 Mainline] - Cisco mentions to use either Cisco VSA (cisco-av-pair) or RADIUS tunnel attributes. The examples I found are all using very old ACS releases, but I believe they would be similar to the following ISE authorization profiles.

Screen Shot 2017-08-12 at 8.16.01 PM.png

Screen Shot 2017-08-12 at 8.35.47 PM.png

View solution in original post

3 Replies 3

Weiborao
Cisco Employee
Cisco Employee

Hi Jason

Yes you are right.

I am working with David Li, who is the local Security Expert in China Team.

I think it is the LAC that decide how to load-balancing between the LNS addresses returned from the attribute 67.

67

Tunnel-Server-Endpoint

IP address of the LNS that establishes a tunnel. The IP address is in dotted decimal notation. A tag can deliver a maximum of eight IP addresses, with each IP address separated by a space. Multiple IP addresses work in primary/secondary mode.

hslai
Cisco Employee
Cisco Employee

Please consult with the support teams for the network device platform as to the specifics to return from a RADIUS server.

For instance, VPDN Configuration Guide, Cisco IOS Release 12.4 - Configuring AAA for VPDNs [Cisco IOS Software Releases 12.4 Mainline] - Cisco mentions to use either Cisco VSA (cisco-av-pair) or RADIUS tunnel attributes. The examples I found are all using very old ACS releases, but I believe they would be similar to the following ISE authorization profiles.

Screen Shot 2017-08-12 at 8.16.01 PM.png

Screen Shot 2017-08-12 at 8.35.47 PM.png

Hi, hslai

Thank you very much for you reply and contribution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: