Support User Manuals

Cisco Systems 10000 Network Router User Manual

Open as PDF

of 624

5-44

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server

L2TP Network Server

Configuring Vendor-Specific Attributes on RADIUS

Cisco IOS Release 12.2(15)BX adds Cisco-specific VPDN RADIUS attributes to support RADIUS

tunnel authentication. To configure the RADIUS server for tunnel authentication, you must configure

the following vendor-specific attributes (VSAs) on the RADIUS server:

• vpdn-vtemplate—Specifies the virtual template number to use for cloning on the LNS. This attribute

corresponds to the virtual template associated with the local VPDN group on the LNS. This attribute

is not required if you used the vpdn tunnel authorization virtual-template <vtemplate num>

command on the LNS to configure a default virtual template to use for cloning.

Cisco:Cisco-Avpair = ”vpdn:vpdn-vtemplate = <vtemplate number>”

• dout-dialer—Specifies the LAC dialer to use on the LAC for a dialout configuration.

Cisco:Cisco-Avpair = “vpdn:dout-dialer = <LAC dialer number>”

• Service-Type—Specifies an outbound or inbound service type. In the tunnel authorization request,

the LNS sets the Service-Type attribute to Outbound. Therefore, in the RADIUS configuration you

must also configure an Outbound Service-Type.

Service-Type = Outbound

Note • For information about RADIUS attributes supported on the Cisco 10000 series router, see

Appendix A, “RADIUS Attributes” or see the “RADIUS Attributes” appendix in the

Cisco IOS Security Configuration Guide, Release 12.2.

• For more information about configuring RADIUS, see your RADIUS user documentation.

Example 5-15 is a RADIUS configuration that allows the LNS to terminate L2TP tunnels from a LAC.

In this configuration, VirtualTemplate10 is used to clone a virtual access interface (VAI) on the LNS.

Example 5-15 Configuring RADIUS for LNS Termination of L2TP Tunnels from a LAC

myLACname Password = “cisco”

Service-Type = Outbound,

Tunnel-Type = :0:l@TP,

Tunnel-Medium-Type = :o:IP,

Tunnel-Client-Auth-ID = :0:”myLACname”,

Tunnel-Password = :0:”mytunnelpassword”,

Cisco:Cisco-Avpair = “vpdn:vpdn-vtemplate=10”

Example 5-16 is an LNS configuration that supports RADIUS tunnel authentication. In this

configuration, a RADIUS server group is defined using the aaa group server radius VPDN-Group

command. The aaa authorization network mymethodlist group VPDN-Group command queries

RADIUS for network authorization.

Example 5-16 Configuring the LNS to Support RADIUS Tunnel Authentication

aaa group server radius VPDN-Group

server 64.102.48.91 auth-port 1645 acct-port 1646

aaa authorization network mymethodlist group VPDN-Group

vpdn tunnel authorization network mymethodlist

vpdn tunnel authorization virtual-template 10

previous next