After receiving username and password during PPP LCP negotiations, the PDSN forwards authentication information to the local AAA server via an access request message. This, in turn, may be proxied to the AAA server in the user's home domain, via broker AAA servers, if necessary. On successful authentication, the user is authorized services based on user's service profile. If the user is configured for VPDN based access services, User Class information, along with other authorization parameters including tunneling options and tunneling parameters, are returned to the PDSN via an access accept message from the home AAA. The following types of VPDN services are supported at the PDSN
Please try Configuring the user.
Service-Type=Framed-User
to the user profile on the radius server.
With authen-before-forward, the access-server will
1) authenticate the user
2) check if this user is allowed to dial in using PPP at all (that's why
we need the Service-Type)
3) after that, evaluate any VPDN AV pairs and set up a VPDN tunnel if
required.
For more information refer the document to click this URL
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_15_xn/pdsn3.5fcs.html#wp1967577