Table Of Contents
Enable Multilink PPP via RADIUS for Preauthentication User
Roles of the L2TP Access Server and L2TP Network Server
New Vendor-Specific Attributes
Verifying MLP Negotiation via RADIUS in Preauthentication
LAC for MLP Configuration: Example
LAC RADIUS Profile for Preauthentication: Example
LNS for MLP Configuration: Example
Enable Multilink PPP via RADIUS for Preauthentication User
First Published: 12.2(11)TLast Updated: February 28, 2006The Enable Multilink PPP via RADIUS for Preauthentication User feature allows you to selectively enable and disable Multilink PPP (MLP) negotiation for different users via RADIUS vendor-specific attribute (VSA) preauth:ppp-multilink=1.
History for the Enable Multilink PPP via RADIUS for Preauthentication User Feature
12.2(11)T
This feature was introduced.
12.2(28)SB
This feature was integrated into Cisco IOS Release 12.2(28)SB.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
Feature Overview
The Enable Multilink PPP via RADIUS for Preauthentication User feature allows you to selectively enable and disable Multilink PPP (MLP) negotiation for different users via RADIUS vendor-specific attribute (VSA) preauth:ppp-multilink=1.
You can enable MLP by configuring the ppp multilink command on an interface, but then this command enables MLP negotiation for all connections and users on that interface; that is, you cannot selectively enable or disable MLP negotiation for specific connections and users on an interface.
Note
To enable this feature, the ppp multilink command should not be configured on the interface; this command will disable MLP by default. If the ppp multilink command is already configured on the interface, the attribute "preauth:ppp-multilink=1" will not override this command.
How MLP via RADIUS Works
Because MLP parameters are negotiated at the time of link control protocol (LCP) negotiation, RADIUS VSA preauth:ppp-multilink=1 should only be a part of preauthentication user authorization. You should add this VSA to the preauthentication profile of the user to enable MLP. Thus, MLP will be enabled only for preauthentication users whose profiles contain this VSA; MLP will be disabled for all other users. If the MLP VSA is received during PPP user authorization (as opposed to preauthentication user authorization), it will be too late to negotiate MLP, and MLP will not be enabled.
When this VSA is received during preauthentication user authorization, MLP negotiation for the user is enabled. MLP is enabled when the VSA value is 1. All attribute values other than 1 are ignored.
Roles of the L2TP Access Server and L2TP Network Server
With this feature, you do not need to configure MLP on the interface of the L2TP access server (LAC); during preauthentication user authorization, the LAC will selectively choose to enable MLP for preauthentication users who receive preauth:ppp-multilink=1. On the L2TP network server (LNS), you can control the maximum number of links allowed in the multilink bundle by sending RADIUS VSA multilink:max-links=n during PPP user authorization.
New Vendor-Specific Attributes
This feature introduces the following new VSAs:
•
Turns on MLP on the interface and is applied to the preauthentication profile.
•
Restricts the maximum number of links that a user can have in a multilink bundle and is used with the service=ppp attribute. The range of "n" is from 1 to 255.
•
Sets the minimum number of links for MLP. The range of "n" is from 0 to 255.
•
Sets the load threshold for the caller for which additional links are added or deleted from the multilink bundle. If the load exceeds the specified value, links are added; if the load drops below the specified value, links are deleted. This attribute is used with the service=ppp attribute. The range of "n" is from 1 to 255.
Note
Benefits
Selective Multilink PPP Configuration
MLP negotiation can be selectively enabled and disabled for different users by applying RADIUS VSA preauth:ppp-multilink=1 to the preauthentication profile.
Prerequisites
Before enabling MLP via RADIUS VSA preauth:ppp-multilink=1, you should perform the following tasks:
•
For more information about using VSAs, refer to the section "Configuring Router to Use Vendor-Specific RADIUS Attributes" of the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2.
•
For information about configuring preauthentication, refer to the section "Configuring AAA Preauthentication" of the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2.
Configuration Tasks
None
Verifying MLP Negotiation via RADIUS in Preauthentication
To display bundle information for the MLP bundles, use the show ppp multilink EXEC command.
Router# show ppp multilinkVirtual-Access1, bundle name is mlpuserBundle up for 00:00:15Dialer interface is Serial0:230 lost fragments, 0 reordered, 0 unassigned0 discarded, 0 lost received, 1/255 load0x0 received sequence, 0x0 sent sequenceMember links: 1 (max 7, min 1)Serial0:22, since 00:00:15, no frags rcvdTable 1 describes the significant fields shown when MLP is enabled.
Table 1
show ppp multilink Field Descriptions
Configuration Examples
This section provides dialin VPDN configurations using Cisco VSA ppp-multilink examples:
•
•
•
LAC for MLP Configuration: Example
The following example is a sample configuration that can be used to configure a LAC for MLP via RADIUS:
! Enable preauthenticationaaa preauthgroup radiusdnis required!Enable VPDNvpdn enable!vpdn-group 1request-dialinprotocol l2tpdnis 56118initiate-to ip 10.0.1.22local name lac-router! Don't need to configure multilink on the interface! Multilink will be enabled by "ppp-multilink" attributeinterface Serial0:23ip address 10.0.1.7 255.0.0.0encapsulation pppdialer-group 1isdn switch-type primary-5essisdn calling-number 56118peer default ip address pool pool1no cdp enableppp authentication chapLAC RADIUS Profile for Preauthentication: Example
The following example shows a LAC RADIUS profile for a preauthentication user who has applied the preauth:ppp-multilink=1 VSA:
56118 Password = "cisco"Service-Type = Outbound,Framed-Protocol = PPP,Framed-MTU = 1500,Cisco-Avpair = "preauth:auth-required=1",Cisco-Avpair = "preauth:auth-type=chap",Cisco-Avpair = "preauth:username=dnis:56118",Cisco-Avpair = "preauth:ppp-multilink=1"LNS for MLP Configuration: Example
The following example is a sample configuration that can be used to configure a LNS to limit the number of links in a MLP bundle:
! Enable VPDNvpdn enable!vpdn-group 1accept-dialinprotocol anyvirtual-template 1terminate-from hostname lac-routerlocal name lns-router!! Configure multilink on interfaceinterface Virtual-Template 1ip unnumbered Ethernet 0/0ppp authentication chapppp multilinkLNS RADIUS Profile: Example
The following example shows a LNS RADIUS profile for specifying the maximum number of links in a multilink bundle. The following multilink VSAs should be specified during PPP user authorization.
mascot password = "cisco"Service-Type = Framed,Framed-Protocol = PPP,Cisco-Avpair = "multilink:max-links=7"Cisco-Avpair = "multilink:min-links=1"Cisco-Avpair = "multilink:load-threshold=128"Additional References
The following sections provide references related to the Enable Multilink PPP via Radius for Preauthentication User feature.
Related Documents
Radius Attributes
•
TACACS + Attibute-Value Pairs
•
Configuring Radius
•
Dial Technologies
•
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
None
Glossary
AAA—authentication, authorization, and accounting. Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
attribute—RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. Because IETF attributes are standard, the attribute data is predefined and well known; thus all clients and servers that exchange AAA information via IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.
L2F—Layer 2 Forwarding. Protocol that supports the creation of secure virtual private dial-up networks over the Internet.
L2TP—Layer 2 Tunnel Protocol. A Layer 2 tunneling protocol that enables an ISP or other access service to create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels.
LAC—L2TP access concentrator. A network access server (NAS) to which the client directly connects and through which PPP frames are tunneled to the L2TP network server (LNS). The LAC need only implement the media over which L2TP is to operate to pass traffic to one or more LNSs. The LAC may tunnel any protocol carried within PPP. The LAC initiates incoming calls and receives outgoing calls. A LAC is analogous to an L2F network access server.
LNS—L2TP network server. A termination point for L2TP tunnels, and an access point where PPP frames are processed and passed to higher-layer protocols. An LNS can operate on any platform that terminates PPP. The LNS handles the server side of the L2TP protocol. L2TP relies only on the single medium over which L2TP tunnels arrive. The LNS initiates outgoing calls and receives incoming calls. An LNS is analogous to a home gateway in L2F technology.
MLP—Multilink PPP. MLP allows packets to be fragmented and the fragments to be sent at the same time over multiple point-to-point links to the same remote address. The multiple links come up in response to a defined dialer load threshold. The load can be calculated on inbound traffic, outbound traffic, or on either, as needed for the traffic between the specific sites. MLP provides bandwidth on demand and reduces transmission latency across WAN links.
MLP is designed to work over synchronous and asynchronous serial and BRI and PRI types of single or multiple interfaces that have been configured to support both dial-on-demand rotary groups and PPP encapsulation.
RADIUS—Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
VSA—Vendor-Specific Attribute. VSAs derived from one IETF attribute—vendor-specific (attribute 26). Attribute 26 allows a vendor to create and implement an additional 255 attributes. That is, a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26: essentially, Vendor-Specific = "protocol:attribute=value."
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2001, 2005-2006 Cisco Systems, Inc. All rights reserved.
Guest
