Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Support

Configuring AAA for VPDNs

Downloads

Table Of Contents

Configuring AAA for VPDNs

Contents

Prerequisites for Configuring AAA for VPDNs

Information About AAA for VPDNs

VPDN Tunnel Authorization Search Order

VPDN Tunnel Lookup Based on Domain Name

VPDN Tunnel Lookup Based on L2TP Domain Screening

VPDN Tunnel Lookup Based on DNIS Information

VPDN Tunnel Lookup Based on Both Domain Name and DNIS Information

VPDN Tunnel Lookup Based on the Multihop Hostname

L2TP Domain Screening

L2TP Tunnel Authentication

L2TP Domain Screening, Rules Based

L2TP Tunnel Authentication, Rules Based

Per-User VPDN AAA

VPDN Authorization for Directed Request Users

Domain Name Prefix and Suffix Stripping

VPDN Tunnel Authentication

RADIUS Tunnel Accounting for L2TP VPDNs

VPDN-Specific Remote RADIUS AAA Server Configurations

Shell-Based Authentication of VPDN Users

How to Configure AAA for VPDNs

Enabling VPDN on the NAS and the Tunnel Server

What to Do Next

Configuring the VPDN Tunnel Authorization Search Order

Prerequisites

Restrictions

What to Do Next

Configuring L2TP Domain Screening

Configuring L2TP Domain Screening with Global Preauthentication

L2TP Domain Screening with Global Preauthentication: Example

Configuring L2TP Domain Screening with per-VPDN Group Preauthentication

Configuring L2TP Domain Screening, Rules Based

Configuring L2TP Domain Screening, Rules Based: Example

Configuring per-User VPDN on the NAS

Prerequisites

Restrictions

Configuring Global per-User VPDN

Configuring per-User VPDN for a VPDN Group

Configuring AAA on the NAS and the Tunnel Server

Prerequisites

What to Do Next

Configuring Remote AAA for VPDNs

Configuring the NAS for Remote AAA for Dial-In VPDNs

Configuring the Tunnel Terminator for Remote RADIUS AAA for L2TP Tunnels

Verifying and Troubleshooting Remote AAA Configurations

Verifying that the VPDN Tunnel Is Up

Verifying the Remote RADIUS AAA Server Configuration

Verifying the Remote TACACS+ AAA Server Configuration on the NAS

Verifying the Remote TACACS+ AAA Server Configuration on the Tunnel Server

Verifying L2TP Tunnel Establishment, PPP Negotiations, and Authentication with the Remote Client

Configuring Directed Request Authorization of VPDN Users

Configuring Directed Request Authorization of VPDN Users on the Tunnel Server

Configuring Directed Request Authorization of VPDN Users on the NAS

Configuring Domain Name Prefix and Suffix Stripping

Configuring VPDN Tunnel Authentication

Prerequisites

Configuring VPDN Tunnel Authentication Using the Hostname

Configuring VPDN Tunnel Authentication Using the Local Name

Configuring VPDN Tunnel Authentication Using the L2TP Tunnel Password

Disabling VPDN Tunnel Authentication for L2TP Tunnels

Configuring RADIUS Tunnel Accounting for L2TP VPDNs

Prerequisites

Restrictions

What to Do Next

Configuring Authentication of L2TP Tunnels at the Tunnel Terminator Remote RADIUS AAA Server

Prerequisites

Restrictions

Configuring DNS Name Support on the NAS Remote RADIUS AAA Server

Configuring L2TP Tunnel Server Load Balancing and Failover on the NAS Remote RADIUS AAA Server

Configuring L2TP Tunnel Server Load Balancing and Failover Using the Cisco Proprietary VSA

Configuring L2TP Tunnel Server Load Balancing and Failover Using the RADIUS Tunnel Preference Attribute

Configuring Tunnel Assignments on the NAS Remote RADIUS AAA Server

Configuring L2TP Tunnel Connection Speed Labeling on the Remote ARS RADIUS AAA Server and the Tunnel Server

Prerequisites

Restrictions

Configuring User Profiles on the ARS RADIUS Server for L2TP Tunnel Connection Speed Labeling

Disabling L2TP Tunnel Connection Speed Labeling on the Tunnel Server

Configuring L2TP Tunnel Connection Speed Labeling on the Tunnel Server

Configuring L2TP Tunnel Connection Speed Labeling for a Tunnel Switch

Configuring Secure Tunnel Authentication Names on the NAS Remote RADIUS AAA Server

Prerequisites

What to Do Next

Configuring the NAS for Shell-Based Authentication of VPDN Users

Prerequisites

Restrictions

What to Do Next

Configuration Examples for AAA for VPDNs

Configuring the VPDN Tunnel Authorization Search Order: Examples

Configuring per-User VPDN on the NAS: Examples

Configuring AAA on the NAS and the Tunnel Server: Examples

Configuring Remote AAA for VPDNs on the L2TP Tunnel Terminator: Examples

Configuring Directed Request Authorization of VPDN Users: Examples

Configuring Domain Name Prefix and Suffix Stripping: Examples

Configuring VPDN Tunnel Authentication: Examples

L2TP Domain Screening: Examples

L2TP Domain Screening with Global Preauthentication: Example

L2TP Domain Screening with per-VPDN Group Preauthentication: Example

Configuring RADIUS Tunnel Accounting on a NAS: Example

Configuring RADIUS Tunnel Accounting on a Tunnel Server: Example

Configuring DNS Name Support on the NAS Remote RADIUS AAA Server: Example

Configuring L2TP Tunnel Server Load Balancing and Failover Using the Cisco Proprietary VSA: Examples

Configuring L2TP Tunnel Server Load Balancing and Failover using the RADIUS Tunnel Preference Attribute: Example

Configuring Tunnel Assignments on the NAS RADIUS AAA Server: Example

Configuring L2TP Tunnel Connection Speed Labeling: Examples

Configuring Secure Authentication Names: Example

Configuring Shell-Based Authentication of VPDN Users: Examples

Where to Go Next

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for AAA for VPDNs


Configuring AAA for VPDNs

This module describes how to configure authentication, authorization, and accounting (AAA) for Virtual Private Dialup Networks (VPDNs).

Module History

This module was first published on September 26, 2005, and last updated on November 20, 2006.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the "Feature Information for AAA for VPDNs" section.

Contents

Prerequisites for Configuring AAA for VPDNs

Information About AAA for VPDNs

How to Configure AAA for VPDNs

Configuration Examples for AAA for VPDNs

Where to Go Next

Additional References

Prerequisites for Configuring AAA for VPDNs

Before configuring AAA for VPDNs, you should understand the concepts in the "Overview of VPDN Technology" module.

You must identify the VPDN architecture you plan to implement.

You must identify the tunneling protocol you will use.

If you plan to configure remote AAA, you should understand the concepts in the "Authentication, Authorization, and Accounting (AAA)" and "Security Server Protocols" parts of the Cisco IOS Security Configuration Guide, Release 12.4.

If you plan to configure L2TP Domain Screening, you must configure the L2TP access concentrator (LAC) to request authentication of a complete username before making a forwarding decision for dial-in L2TP. In other words, the LAC preauthenticates username@domain to find the correct L2TP tunnel for the user session.

You can configure virtual private dialup network (VPDN) preauthentication to occur globally or per VPDN group. For global VPDN preauthentication, authentication and authorization should be done using an authentication server. For per-VPDN group-level preauthentication, authentication and authorization should be done locally.

Information About AAA for VPDNs

Before configuring AAA for VPDNs, you should understand the following concepts:

VPDN Tunnel Authorization Search Order

L2TP Domain Screening, Rules Based

VPDN Authorization for Directed Request Users

VPDN Tunnel Authentication

RADIUS Tunnel Accounting for L2TP VPDNs

VPDN-Specific Remote RADIUS AAA Server Configurations

Shell-Based Authentication of VPDN Users

VPDN Tunnel Authorization Search Order

When a call to a network access server (NAS) is to be tunneled to a tunnel server, the NAS must identify which tunnel server to forward the call to. The router can authorize users and select the outgoing tunnel based on the domain portion of the username, the Dialed Number Identification Service (DNIS) number, the multihop hostname, or any combination of these three parameters in a specified order. The default search order for VPDN tunnel authorization is to first search by DNIS, then by domain.

The following sections contain information on VPDN tunnel lookup criteria:

VPDN Tunnel Lookup Based on Domain Name

VPDN Tunnel Lookup Based on L2TP Domain Screening

VPDN Tunnel Lookup Based on DNIS Information

VPDN Tunnel Lookup Based on Both Domain Name and DNIS Information

VPDN Tunnel Lookup Based on the Multihop Hostname

VPDN Tunnel Lookup Based on Domain Name

When a NAS is configured to forward VPDN calls on the basis of the user domain name, the user must use a username of the form username@domain. The NAS then compares the user domain name to the domain names it is configured to search for. When the NAS finds a match, it forwards the user call to the proper tunnel server.

VPDN Tunnel Lookup Based on L2TP Domain Screening

You can modify the domain portion of the username seamlessly when you enter into a Virtual Private Network (VPN) service. The L2TP Domain Screening feature ensures that the appropriate domain has been screened before access is allowed to an L2TP tunnel for the user session.

For additional information on configuring L2TP Domain Screening tunnel authentication into a VPN, refer to the "L2TP Domain Screening" section.

VPDN Tunnel Lookup Based on DNIS Information

When a NAS is configured to forward VPDN calls on the basis of the user DNIS information, the NAS identifies the user DNIS information, which is provided on ISDN lines, and then forwards the call to the proper tunnel server.

The ability to select a tunnel on the basis of DNIS information provides additional flexibility to network service providers that offer VPDN services and to the companies that use the services. Instead of using only the domain name for tunnel selection, the NAS can use dialed number information for tunnel selection.

With this feature, a company—which might have only one domain name—can provide multiple specific phone numbers for users to dial in to the NAS at the service provider point of presence (POP). The service provider can select the tunnel to the appropriate services or portion of the company network on the basis of the dialed number.

VPDN Tunnel Lookup Based on Both Domain Name and DNIS Information

When a service provider has multiple AAA servers configured, VPDN tunnel authorization searches based on domain name can be time consuming and might cause the client session to time out.

To provide more flexibility, service providers can configure the NAS to perform tunnel authorization searches by domain name only, by DNIS only, or by both in a specified order.

VPDN Tunnel Lookup Based on the Multihop Hostname

If a device will function as a multihop tunnel switch, tunnel authorization searches may be performed based on the multihop hostname. Configuring a multihop hostname on a tunnel switch allows authorization searches to be based on the identity of the peer device that initiated the tunnel. The multihop hostname can be the hostname of the remote peer that initiated the ingress tunnel, or the tunnel ID associated with the ingress tunnel.

A multihop tunnel switch can be configured to perform authorization searches by multihop hostname only, by domain name only, by DNIS only, or by any combination of these searches in a specified order.

L2TP Domain Screening

The Layer 2 Tunnel Protocol (L2TP) Domain Screening feature provides a flexible mechanism for controlling session access to an L2TP tunnel. This feature provides the ability to modify the domain portion of the username seamlessly when a subscriber enters into a virtual private network (VPN) service. The L2TP Domain Screening feature allows per-user L2TP tunnel setup by combining the following two features:

User preauthentication using the vpdn authen-before-forward command

Modifying the domain portion of the username using the vpn service command to bind an incoming session to a certain L2TP tunnel

These two commands work together in the L2TP Domain Screening feature to make sure that the appropriate domain has been screened before access is allowed to an L2TP tunnel for the user session.

With Cisco Software Release 12.2(31)SB2 or higher, you can modify the domain portion of the username seamlessly when you enter into a VPN service. The L2TP Domain Screening, Rules Based feature allows per-user L2TP tunnel setup by creating customized Policy Manager match rules. For more information on the L2TP Domain Screening, Rules Based, see L2TP Domain Screening, Rules Based.

L2TP Tunnel Authentication

Figure 11 shows the general process flow for tunnel authentication. In this case, the vpdn authen-before-forward process is called if necessary to authenticate the username and domain name to find the correct L2TP tunnel for the session. If no authentication is required, the tunnel match for the domain name is found for the session. In either case, the original username with the original domain is used for session authentication at the L2TP network server.

Figure 11 Normal Tunnel Authentication Without VPN Service

In Figure 12, the same authentication flow proceeds, this time with the VPN service applied to the configuration. Just as before, if the vpdn authen-before-forward process determines that the session must be locally authenticated before being placed into the correct tunnel, authentication proceeds as normal. However, with the vpn service statement applied, the session is placed into the appropriate tunnel for the VPN domain.

Figure 12 Normal Tunnel Authentication with VPN Service Configured

Figure 13 shows the full VPN service application flow. If local authentication at the LAC is required and a VPN service is configured, a local authentication is done with the username provided and the domain of the VPN service provider. This step returns the necessary L2TP tunnel for this VPN session. If VPN service is not configured, local authentication is provided on the username and domain name provided by the subscriber.

If the session does not require local authentication but there is a configured VPN service, the session is placed into the L2TP tunnel for the VPN service provider. Otherwise, the session will be placed into the tunnel for the specified domain name.

In any of these scenarios, the username and domain name for the subscriber session stay the same at the L2TP network server (LNS). This allows a wholesale provider to dedicate a service provider for providing all VPN services to its subscribers without the need for complex configuration for each VPN.

The vpn service command binds a physical incoming interface to a certain tunnel. The result is that no matter what username or domain is presented, the user is always forwarded to the specified tunnel configured by the vpn service command.

Figure 13 New Operation with VPN Service

L2TP Domain Screening, Rules Based

With Cisco Software Release 12.2(31)SB2 or later releases, you can modify the domain portion of the username seamlessly when you enter into a VPN service. The L2TP Domain Screening, Rules Based feature allows per-user L2TP tunnel setup by creating customized Policy Manager match rules. The L2TP Domain Screening, Rules Based feature allows you to construct rules to customize specific policy behavior. You can use the following commands to construct specific policy behavior.

Collect and cache the unauthenticated user name using the set variable command

Replace the domain portion of the cached username using the substitute command and authenticate using the new altered domain name

Authenticate the name specified using the authenticate command and send the authenticated name to policy manager

These commands work together in the L2TP Domain Screening, Rules Based feature to make sure that the appropriate domain has been screened before access is allowed to an L2TP tunnel for the user session.

L2TP Tunnel Authentication, Rules Based

Figure 14 shows the general process flow for tunnel authentication, rules based.

Figure 14

Normal Tunnel Authentication, Rules Based

For all users with service policy "REPLACE_WITH_abc.com, this configuration, following a policy-map session-start event, replaces the domain field of username with abc.com, with the new domain name cached in policy manager. Users authenticate based on username@abc.com, and the per-user profile is retrieved as authorization data. Finally, service abc applies to the user.

Per-User VPDN AAA

If remote AAA is used for VPDN, the NAS that receives the call from a user forwards information about that user to its remote AAA server. With basic VPDN, the NAS sends the user domain name when performing authentication based on domain name or the telephone number the user dialed in from when performing authentication based on DNIS.

When per-user VPDN is configured, the entire structured username is sent to a RADIUS AAA server the first time the router contacts the AAA server. This enables Cisco IOS software to customize tunnel attributes for individual users that use a common domain name or DNIS.

Without VPDN per-user configuration, Cisco IOS software sends only the domain name or DNIS to determine VPDN tunnel attribute information. Then, if no VPDN tunnel attributes are returned, Cisco IOS software sends the entire username string.

VPDN Authorization for Directed Request Users

Directed requests allow users logging in to a NAS to select a RADIUS server for authorization. With directed requests enabled, only the portion of the username before the "@" symbol is sent to the host specified after the "@" symbol. Using directed requests, authorization requests can be directed to any of the configured servers, and only the username is sent to the specified server.

Domain Name Prefix and Suffix Stripping

When a user connects to a NAS configured to use a remote server for AAA, the NAS forwards the username to the remote AAA server. Some RADIUS or TACACS+ servers require the username to be in a particular format, which may be different from the format of the full username. For example, the remote AAA server may require the username to be in the format user@domain.com, but the full username could be prefix/user@domain.com@suffix. Configuring domain name stripping allows the NAS to strip incompatible portions from the full username before forwarding the reformatted username to the remote AAA server.

Beginning in Cisco IOS Release 12.2(13)T, the NAS can be configured to strip generic suffixes from the full username using the suffix delimiter character @. Any portion of the full username that follows the first delimiter that is parsed will be stripped.

Beginning in Cisco IOS Release 12.3(4)T, the NAS can be configured to use a different character or set of characters as the suffix delimiter.

Beginning in Cisco IOS Release 12.4(4)T, the NAS can be configured to strip both suffixes and prefixes from the full username. The NAS can also be configured to strip only specified suffixes instead of performing generic suffix stripping.

VPDN Tunnel Authentication

VPDN tunnel authentication enables routers to authenticate the other tunnel endpoint before establishing a VPDN tunnel. VPDN tunnel authentication is required for Layer 2 Forwarding (L2F) tunnels, and optional for Layer 2 Tunneling Protocol (L2TP) tunnels.

For additional information on configuring VPDN tunnel authentication for client-initiated VPDN tunneling deployments, refer to the "Configuring VPDN Tunnel Authentication" section.

VPDN tunnel authentication can be performed in the following ways:

Using local AAA on both the NAS and the tunnel server

Using a remote RADIUS AAA server on the NAS and local AAA on the tunnel server

Using a remote TACACS+ AAA server on the NAS and local AAA on the tunnel server

For L2TP tunnels only, a remote RADIUS AAA server can be used to perform VPDN tunnel authentication on the VPDN tunnel terminator as follows:

Using a remote RADIUS AAA server on the tunnel server for dial-in VPDNs

Using a remote RADIUS AAA server on the NAS for dial-out VPDNs

For detailed information on configuring remote RADIUS or TACACS+ servers, refer to the Cisco IOS Security Configuration Guide, Release 12.4.

RADIUS Tunnel Accounting for L2TP VPDNs

RADIUS tunnel accounting for VPDNs is supported by RFC 2867, which introduces six new RADIUS accounting types beginning in Cisco IOS 12.3(4)T. Without RADIUS tunnel accounting support, VPDN with network accounting will not report all possible attributes to the accounting record file. RADIUS tunnel accounting support allows users to determine tunnel-link status changes. Because all possible attributes can be displayed, users can better verify accounting records with their Internet service providers (ISPs).

VPDN-Specific Remote RADIUS AAA Server Configurations

The following RADIUS attributes are specific to VPDN configurations. For detailed information on configuring remote RADIUS or TACACS+ servers, refer to the Cisco IOS Security Configuration Guide, Release 12.4.

VPDN-specific RADIUS attributes provide the following functionality:

Tunnel server load balancing and failover—The NAS remote RADIUS AAA server can be configured to forward the NAS information about tunnel server priorities.

DNS name support—The NAS AAA server can be configured to resolve Domain Name System (DNS) names and translate them into IP addresses.

Tunnel assignments—The NAS AAA server can be configured to group users from different per-user or domain RADIUS profiles into the same active VPDN tunnel when the tunnel type and tunnel endpoint are identical.

L2TP tunnel connection speed labeling—The NAS AAA server can be configured to perform an authentication check based on the user's connection speed.

Authentication names for NAS-initiated tunnels—The NAS AAA server can be configured with authentication names other than the default names for the NAS and the NAS AAA server.

Shell-Based Authentication of VPDN Users

The NAS and tunnel server can be configured to perform shell-based authentication of VPDN users. Shell-based authentication of VPDN users provides terminal services (shell login or exec login) for VPDN users to support rollout of wholesale dial networks. Authentication of users occurs via shell or exec login at the NAS before PPP starts and the tunnel is established.

A character-mode login dialog is provided before PPP starts, and the login dialog supports schemes such as token-card synchronization and initialization, challenge-based password, and so on. After a user is authenticated in this way, the connection changes from character mode to PPP mode to connect the user to the desired destination. The AAA server that authenticates the login user can be selected based on the dialed DNIS or the domain-name part of the username.

VPDN profiles can be kept by a Resource Pool Manager Server (RPMS), RADIUS-based AAA server, or on the NAS.

How to Configure AAA for VPDNs

To configure AAA for VPDNs, perform the following tasks:

Enabling VPDN on the NAS and the Tunnel Server (required)

Configuring the VPDN Tunnel Authorization Search Order (optional)

Configuring L2TP Domain Screening (optional)

Configuring L2TP Domain Screening, Rules Based (optional)

Configuring AAA on the NAS and the Tunnel Server (optional)

Configuring Remote AAA for VPDNs (optional)

Verifying and Troubleshooting Remote AAA Configurations (optional)

Configuring Directed Request Authorization of VPDN Users (optional)

Configuring Domain Name Prefix and Suffix Stripping (optional)

Configuring VPDN Tunnel Authentication (optional, required for L2F tunnels)

Configuring RADIUS Tunnel Accounting for L2TP VPDNs

Configuring Authentication of L2TP Tunnels at the Tunnel Terminator Remote RADIUS AAA Server (optional)

Configuring DNS Name Support on the NAS Remote RADIUS AAA Server (optional)

Configuring L2TP Tunnel Server Load Balancing and Failover on the NAS Remote RADIUS AAA Server (optional)

Configuring Tunnel Assignments on the NAS Remote RADIUS AAA Server (optional)

Configuring L2TP Tunnel Connection Speed Labeling on the Remote ARS RADIUS AAA Server and the Tunnel Server (optional)

Configuring Secure Tunnel Authentication Names on the NAS Remote RADIUS AAA Server (optional)

Configuring the NAS for Shell-Based Authentication of VPDN Users (optional)

Enabling VPDN on the NAS and the Tunnel Server

Before performing any VPDN configuration tasks, you must enable VPDN on the NAS and the tunnel server. If you are deploying a multihop VPDN tunnel switching architecture, VPDN must be enabled on the tunnel switch as well.

Perform this task on all required devices to enable VPDN.

SUMMARY STEPS

1. enable

2. configure terminal

3. vpdn enable

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

vpdn enable

Example:

Router(config)# vpdn enable

Enables VPDN on the router.

What to Do Next

You may perform the optional task in the "Configuring the VPDN Tunnel Authorization Search Order" section.

You may perform the optional task in the "Configuring L2TP Domain Screening" section.

You may perform the optional task in the "Configuring AAA on the NAS and the Tunnel Server" section.

Configuring the VPDN Tunnel Authorization Search Order

The default search order for VPDN tunnel authorization is to first search by DNIS, then by domain.

Perform this task on the NAS or the tunnel switch to configure the VPDN tunnel authorization search order if you prefer to use an order other than the default order.

Prerequisites

You must perform the task in the "Enabling VPDN on the NAS and the Tunnel Server" section.

Restrictions

Tunnel authorization searches based on the multihop hostname are supported only for multihop tunnel switching deployments.

Multihop tunnel switching based on DNIS numbers or multihop hostnames is supported only in Cisco IOS Release 12.2(13)T and later releases.

SUMMARY STEPS

1. enable

2. configure terminal

3. vpdn search-order {[dnis] [domain] [multihop-hostname]}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

vpdn search-order {[dnis] [domain] [multihop-hostname]}

Example:

Router(config)# vpdn search-order domain dnis

Specifies how the service provider NAS or tunnel switch is to perform VPDN tunnel authorization searches.

At least one search parameter keyword must be specified. You may specify multiple search parameter keywords in any order to define the desired order in which searches will be performed.

Note The multihop-hostname keyword is used only on a device configured as a tunnel switch.

What to Do Next

You may perform the optional task in the "Configuring L2TP Domain Screening" section.

You may perform the optional task in the "Configuring AAA on the NAS and the Tunnel Server" section.

Configuring L2TP Domain Screening

To configure L2TP Domain Screening, enable VPN service and VPDN preauthentication on the LAC. You can enable VPDN preauthentication globally or for specific VPDN groups.

This section contains the following procedures:

Configuring L2TP Domain Screening with Global Preauthentication (required)

L2TP Domain Screening with Global Preauthentication: Example (required)

Configuring L2TP Domain Screening with per-VPDN Group Preauthentication (required)

Configuring L2TP Domain Screening with Global Preauthentication

To configure L2TP Domain Screening with global preauthentication, enable VPN service and enable VPDN preauthorization globally. RADIUS authentication and authorization are required for per-user tunnels.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa authentication ppp {default | list-name] method1 [method2...]

5. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]

6. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]

7. radius-server key {0 string | 7 string | string}

8. vpdn enable

9. vpdn authen-before-forward

10. interface atm interface-number

11. ip address ip-address mask

12. pvc vpi/vci

13. encapsulation aal5snap

14. protocol pppoe

15. vpn service domain-name [replace-authen-domain]

16. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

aaa new-model

Example:

Router(config)# aaa new-model

Enables the authentication, authorization, and accounting (AAA) access control system.

Step 4 

aaa authentication ppp {default | list-name} method1 [method2...]

Example:

Router(config)# aaa authentication ppp default group radius

Specifies the use of RADIUS authentication for PPP authentication.

Step 5 

aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]

Example:

Router(config)# aaa authorization network default group radius

Specifies that authorization be run for all network-related service requests and uses group radius as the default method for authorization.

This command is required for the AAA server to provide VPDN attributes.

Step 6 

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]

Example:

Router(config)# radius-server host 10.1.10.1 auth-port 1645 acct-port 1646

Specifies the AAA server that will supply the network access server or L2TP access concentrator (LAC) with the VPDN attributes for the user.

Step 7 

radius-server key {0 string | 7 string | string}

Example:

Router(config)# radius-server key cisco

Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.

Step 8 

vpdn enable

Example:

Router(config)# vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database or on a remote authorization server (home gateway), if one is present.

Step 9 

vpdn authen-before-forward

Example:

Router(config)# vpdn authen-before-forward

Enables authentication of all dial-in L2TP sessions before the sessions are forwarded to the tunnel server (global preauthentication).

Step 10 

interface atm interface-number

Example:

Router(config)# interface atm 4/0

Defines an ATM interface.

Step 11 

ip address ip-address mask

Example:

Router(config-if)# ip address 10.0.0.2 255.255.0.0

Sets the primary IP address for this interface.

Step 12 

pvc vpi/vci

Example:

Router(config-if)# pvc 1/20

Enters ATM VC configuration mode for the interface identified by this virtual path identifier/virtual channel identifier pair.

Step 13 

encapsulation aal5snap

Example:

Router(config-if-atm-vc)# encapsulation aal5snap

Configures the encapsulation type for this PVC range. The global default encapsulation option is aal5snap.

Step 14 

protocol pppoe

Example:

Router(config-if-atm-vc)# protocol pppoe

Enables PPP over Ethernet sessions for this PVC.

Step 15 

vpn service domain-name [replace-authen-domain]

Example:

Router(config-if-atm-vc)# vpn service example.com replace-authen-domain

Replaces the domain field with the domain name during preauthentication.

Step 16 

end

Example:

Router(config-if-atm-vc)# end

Ends the current configuration session and returns to privileged EXEC mode.

L2TP Domain Screening with Global Preauthentication: Example

Global preauthentication for L2TP domain screening requires RADIUS authentication and authorization. Each user must have a RADIUS user profile that enables per-user L2TP tunneling.

The following example shows a user profile for user-1@example.net; the IP address in the profile is the LNS interface connected to the LAC. 

[ /Radius/UserLists/Default/user-1@example.net ]

    Name = user_1@xnet.net

    Description = TEST

    Password = <encrypted>

    Enabled = TRUE


cisco-avpair = vpdn:tunnel-type=l2tp

    cisco-avpair = vpdn:l2tp-tunnel-password=tunnel

    cisco-avpair = vpdn:l2tp-hello-interval=60

    cisco-avpair = vpdn:ip-addresses=10.1.1.1

    cisco-avpair = vpdn:tunnel-id=LAC1-1

    Framed-protocol = PPP

    Service-Type = Outbound

Configuring L2TP Domain Screening with per-VPDN Group Preauthentication

To configure L2TP Domain Screening with per-VPDN group preauthentication, enable VPN service and enable VPDN preauthentication by specific VPDN group.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa new-model

4. aaa authentication ppp {default | list-name} method1 [method2...]

5. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]

6. vpdn enable

7. vpdn-group name

8. request-dialin

9. protocol l2tp

10. domain domain-name

11. exit

12. authen-before-forward

13. initiate-to ip ip-address

14. end

15. configure terminal

16. interface atm interface-number

17. ip address ip-address mask

18. pvc vpi/vci

19. encapsulation aal5snap

20. protocol pppoe

21. vpn service domain-name [replace-authen-domain]

22. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

aaa new-model

Example:

Router(config)# aaa new-model

Enables the AAA access control system.

Step 4 

aaa authentication ppp {default | list-name} method1 [method2...]

Example:

Router(config)# aaa authentication ppp default local

Specifies the use of local authentication for PPP authentication.

Step 5 

aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]

Example:

Router(config)# aaa authorization network default local

Specifies that authorization be run for all network-related service requests and uses local authentication as the default method for authorization.

This command is required for the AAA server to provide VPDN attributes.

Step 6 

vpdn enable

Example:

Router(config)# vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database or on a remote authorization server (home gateway), if one is present.

Step 7 

vpdn-group name

Example:

Router(config)# vpdn-group l2tp

Creates a VPDN group and associates a name with it.

Step 8 

request-dialin

Example:

Router(config-vpdn)# request-dialin

Configures the VPDN group to request an L2TP dial-in tunnel.

Step 9 

protocol l2tp

Example:

Router(config-vpdn-req-in)# protocol l2tp

Specifies the tunneling protocol to be used by the VPDN group.

Step 10 

domain domain-name

Example:

Router(config-vpdn-req-in)# domain example.com

Specifies the domain name of users that will be forwarded to the tunnel server.

Step 11 

exit

Example:

Router(config-vpdn-req-in)# exit

Returns to VPDN configuration mode.

Step 12 

authen-before-forward

Example:

Router(config-vpdn)# authen-before-forward

Enables authentication of dial-in L2TP sessions associated with this VPDN group before the sessions are forwarded to the tunnel server (per-VPDN group preauthentication).

Step 13 

initiate-to ip ip-address

Example:

Router(config-vpdn)# initiate-to ip 10.2.2.2

Specifies an IP address to be used for L2TP tunneling.

Step 14 

end

Example:

Router(config-vpdn)# end

Returns to privileged EXEC mode.

Step 15 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 16 

interface atm interface-number

Example:

Router(config)# interface atm 4/0

Defines an ATM interface.

Step 17 

ip address ip-address mask

Example:

Router(config-if)# ip address 10.0.0.2 255.255.0.0

Sets the primary IP address for this interface.

Step 18 

pvc vpi/vci

Example:

Router(config-if)# pvc 1/20

Enters ATM VC configuration mode for the interface identified by this virtual path identifier/virtual channel identifier pair.

Step 19 

encapsulation aal5snap

Example:

Router(config-if-atm-vc)# encapsulation aal5snap

Configures the encapsulation type for this PVC range. The global default encapsulation option is aal5snap.

Step 20 

protocol pppoe

Example:

Router(config-if-atm-vc)# protocol pppoe

Enables PPP over Ethernet sessions for this PVC.

Step 21 

vpn service domain-name [replace-authen-domain]

Example:

Router(config-if-atm-vc)# vpn service example.com replace-authen-domain

Replaces the domain field with the domain name during preauthentication.

Step 22 

end

Example:

Router(config-if-atm-vc)# end

Ends the current configuration session and returns to privileged EXEC mode.

Configuring L2TP Domain Screening, Rules Based

To configue domain screening, rules based, proceed with the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name

4. class-map [type {stack | access-control | port-filter | queue-threshold | logging log class}] [match-all | match-any] class-map-name

5. action-number collect [aaa list list-name] identifier {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}

6. action-number set [variable-name] [identifier] [type]

7. action-number substitute [variable-name] [matching-pattern] [rewrite-pattern]

8. action-number authenticate [variable variable-name] [aaa list method-list-name]

9. end

Note that if you specify the default method list for any of the control policy actions, the default list will not appear in the output of the show running-config command. For example, if you configure the following command: 

Router(config-control-policymap-class-control)# 1 authenticate aaa list default

the following will display in the output for the show running-config command: 

1 authenticate

Named method lists will display in the show running-config command output.

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map [type {stack | access-control | port-filter | queue-threshold | logging log-policy}] policy-map-name

Example:

Router(config)# policy-map type control start-up-ppp

Creates or modifies a control policy map, which is used to define a control policy.

Step 4 

class-map [type {stack | access-control | port-filter | queue-threshold | logging log class}] [match-all | match-any] class-map-name

Example:

Router(config-control-policymap)# class type control always event session-start

Specifies a control class for which actions may be configured.

A policy rule for which the control class is always will always be treated as the lowest priority rule within the control policy map.

Step 5 

action-number collect [aaa list list-name] identifier {authen-status | authenticated-domain | authenticated-username | dnis | media | mlp-negotiated | nas-port | no-username | protocol | service-name | source-ip-address | timer | tunnel-name | unauthenticated-domain | unauthenticated-username}

Example:

Router(config-control-policymap-class-control)# 1 collect identifier unauthenticated-username

(Optional) Collects the specified subscriber identifier from the access protocol.

Step 6 

action-number set [variable-name] [identifier] [type]

Example:

Router(config-control-policymap-class-control)# 2 set NAME identifier unauthenticated-username

Creates a temporary memory space to hold values received by policy manager on the identifier type.

Step 7 

action-number substitute [variable-name] [matching-pattern] [rewrite-pattern]

Example:

Router(config-control-policymap-class-control)# 3 substitute NEWNAME

Matches the contents of variable-name using matching-pattern and perform the substitution defined in rewrite-pattern.

Step 8 

action-number authenticate aaa list list-name

Example:

Router(config-control-policymap-class-control)# 1 authenticate aaa list LIST1

Initiates an authentication request using the contents of variable-name instead of the default unauthenticated-username.

Step 9 

exit

Example:

Router(config-control-policymap-class-control)# exit

Exits the current configuration mode.

Configuring L2TP Domain Screening, Rules Based: Example

The following examples shows a policy map configuration for L2TP domain screening, rules based: 

policy-map type control REPLACE_WITH_example.com

 class type control always event session-start

  1 collect identifier unauthenticated-username

  2 set NEWNAME identifier unauthenticated-username

  3 substitute NEWNAME "(.*@).*" "\1example.com"

  4 authenticate variable NEWNAME aaa list EXAMPLE

  5 service-policy type service name example


policy-map type service abc

 service vpdn group 1


bba-group pppoe global

 virtual-template 1

!

interface Virtual-Template1

 service-policy type control REPLACE_WITH_example.com

Configuring per-User VPDN on the NAS

If remote AAA is used for VPDN, the NAS that receives the call from a user forwards information about that user to its remote AAA server. With basic VPDN, the NAS sends the user domain name when performing authentication based on domain name or the telephone number the user dialed in from when performing authentication based on DNIS.

When per-user VPDN is configured, the entire structured username is sent to a RADIUS AAA server the first time the router contacts the AAA server. This enables Cisco IOS software to customize tunnel attributes for individual users that use a common domain name or DNIS.

Without VPDN per-user configuration, Cisco IOS software sends only the domain name or DNIS to determine VPDN tunnel attribute information. Then, if no VPDN tunnel attributes are returned, Cisco IOS software sends the entire username string.

Per-user VPDN can be configured globally, or for individual VPDN groups. The VPDN group configuration will take precedence over the global configuration.

Perform one of the following tasks on the NAS to configure per-user VPDN:

Configuring Global per-User VPDN (optional)

Configuring per-User VPDN for a VPDN Group (optional)

Prerequisites

The NAS remote RADIUS server must be configured for AAA. For more information on configuring remote RADIUS AAA servers refer to the Cisco IOS Security Configuration Guide, Release 12.4.

Restrictions

Per-user VPDN configuration supports only RADIUS as the AAA protocol.

This task is compatible only with NAS-initiated dial-in VPDN scenarios.

Configuring Global per-User VPDN

Configuring per-user VPDN on a NAS causes the NAS to send the entire structured username of the user to a RADIUS AAA server the first time the NAS contacts the AAA server. Per-user VPDN can be configured globally, or for individual VPDN groups. Configuring per-user VPDN globally will apply per-user VPDN to all request-dialin VPDN groups configured on the NAS.

Perform this task on the NAS to configure global per-user VPDN.

SUMMARY STEPS

1. enable

2. configure terminal

3. vpdn authen-before-forward

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.