Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss configuration and troubleshooting issues on Access Dial with Tejal Patel. Tejal is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems, Inc. He joined Cisco in July 1999. His current responsibilities include troubleshooting complex issues, training, and authoring documentation. His areas of expertise are Telco Signaling, Configuration and Troubleshooting of Access Servers, AAA etc. Tejal is CCIE # 6619 for ISP Dial. He continually shares his expertise by speaking at the Access Design Clinic at Networkers to discuss and resolve the design related technical issues. Tejal holds a Bachelor Degree in Electronics and Telecommunication Engineering from Poona University, India. Prior to joining Cisco, Tejal was a Test Engineer at Leemah Datacom Inc. where he was responsible for functional testing of Network Access Server and RADIUS server.
Remember to use the rating system to let Tejal know if you have received an adequate response.
Tejal might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 22, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
Hi Tejal and everybody,
any comment or document on the performance variation due to assign specific ACLs for each user by Radius instead of configured one unique ACL in teh virtual-template definition?
I want to apply this solution (similar to the second part of this cisco document) in an L2TP scenario of about 500 sessions on Cisco 7204VXR (NPE-G2).
Thanks in adavance.
Any guide will be wellcome.
Actually, they both serves different purpose. Per-User ACL via RADIUS/AAA is per user as it says and it gives more control to network admin about the user's ability. ACL under the virtual-template will be applied to all the virtual-access interface for all the users and is static. Its like "one for all".
If the network design requires the use of per-user attributes like ACLs, then its the best option to download it via AAA. There will not be any performance issue for 500 users if you go for per-user ACLs from AAA. Per-user ACLs take little more CPU power and memory than configured under the interface but for 500 users it should be just fine.
Thanks for your answer.
If you find any document with measurements would be nice to show to my manager.
Otherwise, I would like to apply both, radius and virtual template ACL, at the same tiume for some users... and both working. I've been running some tests and what I've seen is that Radius ACL switch off the Virtual-Template ACL for that user...
Any specific configuration to combine usage of both at same time?
We do not have any specific performance docs that reports the numbers in that area because it is more or less a generic testing for the same feature.
Now, to answer your 2nd question, if the authorization is configured via RADIUS, then router will honor what is coming in from RADIUS as ACL defination. So for that user, if the ACL is coming in from AAA, it will be used compared to configured on the router as an interface, virtual-access or any, can only work with "one" ACL. That goes on to prove that network admin have more control over the user management when its managed via AAA.
Hope tat answers your question. Fire up more questions if you have.