Table Of Contents
L2TP Large-Scale Dial-Out per-User Attribute via AAA
Restrictions for Using L2TP Large-Scale Dial-Out per-User Attribute via AAA
Information About L2TP Large-Scale Dial-Out per-User Attribute via AAA
How the L2TP Large-Scale Dial-Out per-User Attribute via AAA Feature Works
How to Configure L2TP Large-Scale Dial-Out per-User Attribute via AAA
Configuring the VPDN Group on the LNS
Verifying the Configuration on the Virtual Access Interface
Troubleshooting the Configuration on the Virtual Access Interface
Configuration Examples for L2TP Large-Scale Dial-Out per-User Attribute via AAA
Per-User AAA Attributes Profile Example
Virtual Access Interface Configuration Verification Example
Virtual Access Interface Configuration Troubleshooting Example
L2TP Large-Scale Dial-Out per-User Attribute via AAA
This feature makes it possible for IP per-user attributes to be applied to a Layer 2 Tunneling Protocol (L2TP) dial-out session.
Feature Specifications for L2TP Large-Scale Dial-Out per-User Attribute via AAA
12.2(15)T
This feature was introduced.
Cisco 7200, Cisco 7400
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Restrictions for Using L2TP Large-Scale Dial-Out per-User Attribute via AAA
•
•
•
Restrictions for Using L2TP Large-Scale Dial-Out per-User Attribute via AAA
The L2TP Large-Scale Dial-Out per-User Attribute via AAA feature does not support the following features associated with L2TP dial-out:
•
•
•
•
•
Information About L2TP Large-Scale Dial-Out per-User Attribute via AAA
To configure the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature, you need to understand the following concept:
•
How the L2TP Large-Scale Dial-Out per-User Attribute via AAA Feature Works
The L2TP Large-Scale Dial-Out per-User Attribute via AAA feature makes it possible for IP and other per-user attributes to be applied to an L2TP dial-out session from an LNS. Before this feature was released, IP per-user configurations from authentication, authorization, and accounting (AAA) servers were not supported; the IP configuration would come from the dialer interface defined on the router.
The L2TP Large-Scale Dial-Out per-User Attribute via AAA feature works in a way similar to virtual profiles and L2TP dial-in. The L2TP virtual access interface is first cloned from the virtual template, which means that configurations from the virtual template interface will be applied to the L2TP virtual access interface. After authentication, the AAA per-user configuration is applied to the virtual access interface. Because AAA per-user attributes are applied only after the user has been authenticated, the LNS must be configured to authenticate the dial-out user (configuration authentication is needed for this feature).
With the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature, all software components can now use the configuration present on the virtual access interface rather than what is present on the dialer interface. For example, IP Control Protocol (IPCP) address negotiation uses the local address of the virtual access interface as the router address while negotiating with the peer.
All Cisco IOS commands that can be configured as AAA per-user commands are supported by the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature. Following is a list of some of the commands that are typically configured on a per-user basis:
•
•
•
•
•
•
How to Configure L2TP Large-Scale Dial-Out per-User Attribute via AAA
This section contains the following procedures:
•
•
•
Configuring the VPDN Group on the LNS
You will need to configure the virtual template under the request dial-out configuration. You will also need to select the tunneling protocol and assign the virtual private dial-up network (VPDN) subgroup to a rotary group.
AAA per-user configuration is supported only on legacy dialer or dialer rotary groups and does not make sense on dialer profiles.
Be sure to configure the virtual template so that the LNS authenticates the dial-out user.
If a virtual template is not configured, L2TP dial-out per-user is not supported, but the configuration is backward compatible for all IP configurations that come from the dialer interface.
Prerequisites
The L2TP Large-Scale Dial-Out per-User Attribute via AAA feature provides additional functionality for large-scale dial-out networks and Layer 2 tunneling. It is assumed that a network is already configured and operational, and that the tasks in this document will be performed on an operational network. See the "Additional References" section for more information about large-scale dial-out networks, Layer 2 tunneling, and virtual template interfaces.
Restrictions
If the tasks in this section are not performed, the software will operate in the original mode, that is, IP per-user configurations from a AAA server will not be recognized and IP addresses will come from the dialer interface defined on the router.
To configure the VPDN group that makes it possible for IP per-user attributes to be applied to an L2TP dial-out session, use the following commands:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
What to Do Next
The configuration for the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature must include a AAA profile to specify the per-user attributes. See the "Per-User AAA Attributes Profile Example" for an example of such a profile.
Verifying the Configuration on the Virtual Access Interface
This task verifies that the per-user AAA commands are successfully parsed on the virtual access interface.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Troubleshooting the Configuration on the Virtual Access Interface
This task displays additional information about the per-user AAA commands that are parsed on the virtual access interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Configuration Examples for L2TP Large-Scale Dial-Out per-User Attribute via AAA
This section provides the following configuration examples to show how to configure the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature:
•
•
•
LNS Configuration Example
The following partial example shows how to configure an LNS for the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature:
!vpdn enablevpdn search-order domain!vpdn-group 1...request-dialoutprotocol l2tprotary-group 1virtual-template 1initiate-to ip 10.0.1.194.2local name lnsl2tp tunnel password 7094F3$!5^3source-ip 10.0.194.53!Per-User AAA Attributes Profile Example
The following example shows the attribute-value pair (avpair) statements for a AAA profile to specify the per-user attributes:
5300-Router1-out Password = "cisco"Service-Type = Outboundcisco-avpair = "outbound:dial-number=5553021"7200-Router1-1 Password = "cisco"Service-Type = Outboundcisco-avpair = "ip:route=10.17.17.1 255.255.255.255 Dialer1 100 name 5300-Router1"5300-Router1 Password = "cisco"Service-Type = FramedFramed-Protocol = PPPcisco-avpair = "lcp:interface-config=ip unnumbered loopback 0"cisco-avpair = "ip:outacl#1=deny ip host 10.5.5.5 any log"cisco-avpair = "ip:outacl#2=permit ip any any"cisco-avpair = "ip:inacl#1=deny ip host 10.5.5.5 any log"cisco-avpair = "ip:inacl#2=permit ip any any"cisco-avpair = "multilink:min-links=2"Framed-Route = "10.5.5.6/32 Ethernet4/0"Framed-Route = "10.5.5.5/32 Ethernet4/0"Idle-Timeout = 100Virtual Access Interface Configuration Verification Example
The following example shows the virtual access interface configuration so you can check that the per-user AAA commands are correctly parsed:
Router# show interfaces virtual-access 3 configurationVirtual-Access3 is an VPDN link (sub)interfaceDerived configuration : 212 bytes!interface Virtual-Access3ip vrf forwarding V1.25.comip unnumbered Loopback25no peer default ip addressppp authentication chapendVirtual Access Interface Configuration Troubleshooting Example
This section provides the following debugging session examples for a network configured with the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature. Output is displayed for each command in the task.
Sample Output for the debug aaa per-user Command
Router# debug aaa per-user%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to upAAA/AUTHOR: Processing PerUser AV interface-configAAA/AUTHOR: Processing PerUser AV routeAAA/AUTHOR: Processing PerUser AV routeAAA/AUTHOR: Processing PerUser AV outaclAAA/AUTHOR: Processing PerUser AV outaclAAA/AUTHOR: Processing PerUser AV inaclAAA/AUTHOR: Processing PerUser AV inaclVi3 AAA/PERUSER/ROUTE: vrf name for vaccess: V1.25.comVi3 AAA/PERUSER/ROUTE: route string: IP route vrf V1.25.com 10.1.25.10 255.255.255.255 10.1.25.20 tag 120Vi3 AAA/PERUSER/ROUTE: vrf name for vaccess: V1.25.comVi3 AAA/PERUSER/ROUTE: route string: IP route vrf V1.25.com 172.30.35.0 255.255.255.0 10.1.25.20 tag 120AAA/PER-USER: mode = config; command = [ip access-list extended Virtual-Access3#41permit icmp any any logpermit ip any any]AAA/PER-USER: line = [ip access-list extended Virtual-Access3#41]AAA/PER-USER: line = [permit icmp any any log]AAA/PER-USER: line = [permit ip any any]AAA/PER-USER: mode = config; command = [ip access-list extended Virtual-Access3#42permit icmp any any logpermit ip any any]AAA/PER-USER: line = [ip access-list extended Virtual-Access3#42]AAA/PER-USER: line = [permit icmp any any log]AAA/PER-USER: line = [permit ip any any]AAA/PER-USER: mode = config; command = [IP route vrf V1.25.com 10.1.25.10 255.255.255.255 10.1.25.20 tag 120 IP route vrf V1.25.com 172.30.35.0 255.255.255.0 10.1.25.20 tag 120]AAA/PER-USER: line = [IP route vrf V1.25.com 10.1.25.10 255.255.255.255 10.1.25.20 tag 120]AAA/PER-USER: line = [IP route vrf V1.25.com 172.30.35.0 255.255.255.0 10.1.25.20 tag 120]*Feb 28 07:35:19.616: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to upSample Output for the debug vtemplate events and debug vtemplate cloning Commands
Router# debug vtemplate eventsRouter# debug vtemplate cloningVT[Vi3]:Reuse interface, recycle queue size 1VT[Vi3]:Set to default using 'encap ppp'VT[Vi3]:Vaccess createdVT[Vi3]:Added new vtemplate cloneblk, now cloning from vtemplateVT[Vi3]:Clone Vaccess from Virtual-Template25 (19 bytes)VT[Vi3]:no ip addressVT[Vi3]:endVT[Vi3]:Applying config commands on process "Dialer event" (25)VT[Vi3]:no ip addressVT[Vi3]:end%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to upVT:Sending vaccess request, id 0x6401947CVT:Processing vaccess requests, 1 outstandingVT[Vi3]:Added new AAA cloneblk, now cloning from vtemplate/AAAVT[Vi3]:Clone Vaccess from AAA (60 bytes)VT[Vi3]:ip vrf forwarding V1.25.comVT[Vi3]:ip unnumbered loopback25VT[Vi3]:endVT[Vi3]:Applying config commands on process "VTEMPLATE Background Mgr" (160)VT[Vi3]:ip vrf forwarding V1.25.comVT[Vi3]:ip unnumbered loopback25VT[Vi3]:endVT[Vi3]:MTUs ip 1500, sub 0, max 1500, default 1500VT[Vi3]:Processing vaccess response, id 0x6401947C, result success (1)VT[Vi3]:Added new AAA cloneblk, now cloning from vtemplate/AAAVT[Vi3]:Clone Vaccess from AAA (82 bytes)VT[Vi3]:IP access-group Virtual-Access3#51 inVT[Vi3]:IP access-group Virtual-Access3#52 outVT[Vi3]:endVT[Vi3]:Applying config commands on process "PPP IP Route" (62)VT[Vi3]:IP access-group Virtual-Access3#51 inVT[Vi3]:IP access-group Virtual-Access3#52 outVT[Vi3]:end%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to upAdditional References
For additional information related to L2TP large-scale dial-out per-user attributes using a AAA server, see to the following sections:
•
•
Related Documents
Large-scale dial-out
Cisco IOS Dial Technologies Configuration Guide, Release 12.2; refer to the chapter "Configuring Large-Scale Dial-Out."
VPDN groups
Cisco IOS Dial Technologies Configuration Guide, Release 12.2; refer to the chapter "Configuring Virtual Private Networks."
Virtual interfaces
Cisco IOS Dial Technologies Configuration Guide, Release 12.2; refer to the chapter "Configuring Virtual Template Interfaces."
Per-user configuration
Cisco IOS Dial Technologies Configuration Guide, Release 12.2; refer to the chapter "Configuring Per-User Configuration."
Descriptions of debug command output
Cisco IOS Debug Command Reference, Release 12.2.
Standards
MIBs
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
Technical Assistance
Command Reference
This section documents the modified virtual-template VPDN subgroup configuration command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.
virtual-template
To specify which virtual template will be used to clone virtual access interfaces, use the virtual-template command in virtual private dial-up network (VPDN) subgroup configuration mode. To remove the virtual template from a VPDN group, use the no form of this command.
virtual-template template-number
no virtual-template
Syntax Description
template-number
Number of the virtual template that will be used to clone virtual access interfaces.
Defaults
No virtual template is enabled.
Command Modes
VPDN subgroup
Command History
Usage Guidelines
You must first enable a tunneling protocol on the VPDN group using the protocol VPDN subgroup command before you can enable the virtual-template command. Removing or modifying the protocol command will remove virtual-template command from the VPDN group.
Each VPDN group can clone only virtual access interfaces using one virtual template. If you enter a second virtual-template command on a VPDN group, it will replace the first virtual-template command.
Table 1 lists the VPDN group commands under which the virtual-template command can be entered. Entering the VPDN group command starts VPDN subgroup mode. The table includes the command-line prompt for the VPDN subgroup mode and the type of service configured.
When the virtual-template command is entered under a request-dialout VPDN subgroup, IP and other per-user attributes can be applied to an L2TP dial-out session from an L2TP network server (LNS). Before this command was enhanced, IP per-user configurations from authentication, authorization, and accounting (AAA) servers were not supported; the IP configuration would come from the dialer interface defined on the router.
The enhanced virtual-template command works in a way similar to configuring virtual profiles and L2TP dial-in. The L2TP virtual access interface is first cloned from the virtual template, which means that configurations from the virtual template interface will be applied to the L2TP virtual access interface. After authentication, the AAA per-user configuration is applied to the virtual access interface. Because AAA per-user attributes are applied only after the user has been authenticated, the LNS must be configured to authenticate the dial-out user (configuration authentication is needed for this command).
With the enhanced virtual-template command, all software components can now use the configuration present on the virtual access interface rather than what is present on the dialer interface. For example, IP Control Protocol (IPCP) address negotiation uses the local address of the virtual access interface as the router address while negotiating with the peer.
Examples
The following example enables the LNS to accept an L2TP tunnel from an L2TP access concentrator (LAC) named LAC2. A virtual access interface will be cloned from virtual template 1.
vpdn-group 1accept-dialinprotocol l2tpvirtual-template 1terminate-from hostname LAC2The following example enables PPPoE on ATM to accept dialin PPPoE sessions. A virtual access interface for the PPP session is cloned from virtual template 1.
vpdn-group 1accept-dialinprotocol pppoevirtual-template 1The following partial example shows how to configure an LNS to support IP per-user configurations from a AAA server:
!vpdn enablevpdn search-order domain!vpdn-group 1...request-dialoutprotocol l2tprotary-group 1virtual-template 1initiate-to ip 10.0.1.194.2local name lnsl2tp tunnel password 7094F3$!5^3source-ip 10.0.194.53!The previous configuration requires a AAA profile such as the following example to specify the per-user attributes:
5300-Router1-out Password = "cisco"Service-Type = Outboundcisco-avpair = "outbound:dial-number=5553021"7200-Router1-1 Password = "cisco"Service-Type = Outboundcisco-avpair = "ip:route=10.17.17.1 255.255.255.255 Dialer1 100 name 5300-Router1"5300-Router1 Password = "cisco"Service-Type = FramedFramed-Protocol = PPPcisco-avpair = "lcp:interface-config=ip unnumbered loopback 0"cisco-avpair = "ip:outacl#1=deny ip host 10.5.5.5 any log"cisco-avpair = "ip:outacl#2=permit ip any any"cisco-avpair = "ip:inacl#1=deny ip host 10.5.5.5 any log"cisco-avpair = "ip:inacl#2=permit ip any any"cisco-avpair = "multilink:min-links=2"Framed-Route = "10.5.5.6/32 Ethernet4/0"Framed-Route = "10.5.5.5/32 Ethernet4/0"Idle-Timeout = 100Related Commands
Guest