Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
4
Replies

L2TP avpairs and "spare" radius request

sergioc70
Level 1
Level 1

‎01-31-2005 09:28 AM

Hi all there,

I'm running some LAC (as5400 but it applyes also to PPPaA xdsl) and I use RADIUS autentication to provide the LAC the vpdn: av-pairs.

vpdn authen-before-forward is enabled on LAC.

When a call get in a first RADIUS auth-req is sent with full User-Name=login@realm and Service-Type=Outbound asking for vpdn, if it is positive the tunnel starts and all is fine.

If the call does not need to be tunnelized the AAA sends an auth-reject and then the LAC sends a second auth-req with User-Name=realm only to get a second auth-reject.

I tried with any "vpdn search-order" command with no results.

There exists a command or an avpair to prevent the second, useless, auth-request?

Best regarsd,

SergioC

Labels:
0 Helpful
4 Replies 4

owillins
Level 6
Level 6

‎02-04-2005 08:10 AM

You must enable the request-dialin command on the VPDN group before you can use the 'authen before-forward command'.

Please refer the following link for more information on this

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123tcr/123tdr/dia_a1gt.pdf

0 Helpful

sergioc70
Level 1
Level 1
In response to owillins

‎02-04-2005 10:41 AM

Hi Oscar,

I have no vpdn-groups on my LACs, all the tunnel configuration is on my radius server, I've too many LAC, realms and dnis to cope with so I prefer AAA.

The vpdn LAC conf is as simple as:

vpdn enable

vpdn source-ip 10.0.12.43

vpdn authen-before-forward

vpdn search-order domain

plus aaa and radius basic conf.

It works well.

Please mind that my problem is on LAC radius queries, not LNS.

0 Helpful

sergioc70
Level 1
Level 1
In response to sergioc70

‎02-17-2005 03:51 AM

Any news?

0 Helpful

evras
Level 1
Level 1
In response to sergioc70

‎06-07-2005 11:05 PM

Hi Oscar,

Actually i have a question that is beyond the scope of this topic.But it is related to your configuration.

You use both vpdn authen-before-forward

vpdn search-order domain .

Some of my accounts have "@" delimeter, but some of then not. I want VPDN tunnel authorization for all of them. I thought that i should authenticate the complete username before making a forwarding decision, so send it to the AAA server for VPDN attributes This is for the users who do not hav "@" delimeter on his username . Then i want to VPDN tunnel authorization is based on the domain. This should be for the users who has a "@" delimeter on his username.

But it did not work! Do you have such a scenario? Why you configure "vpdn authen-before-forward

,vpdn search-order domain" in this order?

Thanks in advance.

Sirin

0 Helpful
Customers Also Viewed These Support Documents