Downloads |
Table Of Contents
L2TP Tunnel Connection Speed Labeling
Prerequisites for L2TP Tunnel Connection Speed Labeling
Restrictions for L2TP Tunnel Connection Speed Labeling
Information About L2TP Tunnel Connection Speed Labeling
RADIUS Access-Request Attribute 77, Connection-Info
Configuring the ARS RADIUS Server
Benefits of L2TP Tunnel Connection Speed Labeling
How to Configure L2TP Tunnel Connection Speed Labeling
Disabling L2TP Tunnel Connection Speed Labeling on the LNS
Configuring L2TP Tunnel Connection Speed Labeling on the LNS
Configuring L2TP Tunnel Connection Speed Labeling for a Tunnel Switch
Configuration Examples for L2TP Tunnel Connection Speed Labeling
Disabling L2TP Tunnel Connection Speed Labeling on the LNS: Example
Configuring L2TP Tunnel Connection Speed Labeling on the LNS: Example
Configuring L2TP Tunnel Connection Speed Labeling for a Tunnel Switch: Example
Configuring User Profiles on the ARS RADIUS Server: Example
Configuring the .tcl Script on the ARS RADIUS Server: Example
L2TP Tunnel Connection Speed Labeling
In releases of Cisco IOS software prior to 12.3(4)T, when a Layer 2 Tunnel Protocol (L2TP) network server (LNS) receives an Incoming-Call-Connected (ICCN) message there is no authentication check on the user's connection speed. The L2TP Tunnel Connection Speed Labeling feature introduces the ability to accept or deny an L2TP session based on the allowed connection speed that is configured on the Cisco Access Registrar (ARS) RADIUS server for that user. The RADIUS server can authorize users based on their Service Level Agreement (SLA).
Feature Specifications for L2TP Tunnel Connection Speed Labeling
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for L2TP Tunnel Connection Speed Labeling
•
•
•
•
Prerequisites for L2TP Tunnel Connection Speed Labeling
Authentication, authorization, and accounting (AAA) authentication must be configured. For more information about configuring AAA authentication, refer to the "Configuring Authentication" chapter in the Cisco IOS Security Configuration Guide.
L2TP must be configured on the network. For more information about configuring L2TP refer to the "Configuring Virtual Private Networks" chapter in the Cisco IOS Dial Technologies Configuration Guide.
Restrictions for L2TP Tunnel Connection Speed Labeling
This feature can be used only with the ARS RADIUS server.
Information About L2TP Tunnel Connection Speed Labeling
To configure L2TP Tunnel Connection Speed Labeling feature, you must understand the following concepts:
•
•
•
RADIUS Access-Request Attribute 77, Connection-Info
The L2TP Tunnel Connection Speed Labeling feature uses the RADIUS access-request attribute, Attribute 77, Connection-Info. This attribute contains connection speed information that can be used to authenticate tunnel session requests based on the allowed connection speed configured for a particular user on the ARS RADIUS server.
Configuring the ARS RADIUS Server
The user profiles on the ARS RAIDUS server must be configured to define the desired RX and TX values in the attribute field UserDefined1. See the section "Configuring User Profiles on the ARS RADIUS Server: Example" in this document for a sample configuration of the ARS RADIUS server user profile.
A .tcl script must be configured to be the OutgoingScript of the service that has been created. See the section "Configuring the .tcl Script on the ARS RADIUS Server: Example" in this document for a sample configuration of the ARS RADIUS server .tcl script.
Benefits of L2TP Tunnel Connection Speed Labeling
The L2TP Tunnel Connection Speed Labeling feature introduces the ability to accept or deny an L2TP session based on the allowed connection speed that is configured on the ARS RADIUS server for a particular user. The RADIUS server can authorize users based on their SLA.
How to Configure L2TP Tunnel Connection Speed Labeling
This section contains the following procedures:
•
•
•
Disabling L2TP Tunnel Connection Speed Labeling on the LNS
By default, the LNS will forward connection speed information to the RADIUS server for authentication. To disable authentication based on connection speeds, you must choose to not include RADIUS Attribute 77 in the access request. Perform this task on the LNS to disable authentication based on connection speeds.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring L2TP Tunnel Connection Speed Labeling on the LNS
Perform this task on the LNS to enable authentication based on connection speeds.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring L2TP Tunnel Connection Speed Labeling for a Tunnel Switch
Perform this task on the LNS to enable the L2TP Tunnel Connection Speed Labeling feature for a tunnel switch node. This configuration allows the access request to be sent to the RADIUS server before the tunnel switch forwards the session to the next hop.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for L2TP Tunnel Connection Speed Labeling
This section provides the following configuration examples:
•
•
•
•
•
Disabling L2TP Tunnel Connection Speed Labeling on the LNS: Example
The following example disables forwarding of RADIUS Attribute 77 from the LNS to the RADIUS server:
enableconfigure terminalno radius-server attribute 77 include-in-access-reqConfiguring L2TP Tunnel Connection Speed Labeling on the LNS: Example
The following example enables forwarding of RADIUS Attribute 77 from the LNS to the RADIUS server:
enableconfigure terminalradius-server attribute 77 include-in-access-reqConfiguring L2TP Tunnel Connection Speed Labeling for a Tunnel Switch: Example
The following example enables forwarding of RADIUS Attribute 77 from a tunnel switch to the RADIUS server before the session is forwarded. This configuration occurs on the LNS.
enableconfigure terminalvpdn authen-before-forwardConfiguring User Profiles on the ARS RADIUS Server: Example
The following example shows an ARS RADIUS server profile configuration for three users of the service acompany.com:
# acompany.com/# Name = acompany.com# Description = Domain# Password = <encrypted># AllowNullPassword = FALSE# Enabled = TRUE# Group~ =# BaseProfile~ =# AuthenticationScript~ =# AuthorizationScript~ =# UserDefined1 =# Attributes/# cisco-avpair = vpdn:tunnel-id=aaa_lac# cisco-avpair = vpdn:tunnel-type=l2tp# cisco-avpair = vpdn:ip-addresses=10.1.1.3# cisco-avpair = vpdn:l2tp-tunnel-password=lab# service-type = outbound# CheckItems/# Euser1@acompany.com/# Name = Euser1@acompany.com# Description = PPPoE-Only-Tx-Accept# Password = <encrypted># AllowNullPassword = FALSE# Enabled = TRUE# Group~ =# BaseProfile~ =# AuthenticationScript~ =# AuthorizationScript~ =# UserDefined1 = TX:102400000# Attributes/# CheckItems/## Euser11@acompany.com/# Name = Euser11@acompany.com# Description = PPPoE-Range-RX-Accept# Password = <encrypted># AllowNullPassword = FALSE# Enabled = TRUE# Group~ =# BaseProfile~ =# AuthenticationScript~ =# AuthorizationScript~ =# UserDefined1 = RX:96000000-200000000# Attributes/# CheckItems/## Euser8@acompany.com/# Name = Euser8@acompnany.com# Description = PPPoE-Both-TXRX-Reject# Password = <encrypted># AllowNullPassword = FALSE# Enabled = TRUE# Group~ =# BaseProfile~ =# AuthenticationScript~ =# AuthorizationScript~ =# UserDefined1 = TX:5600000:RX:64000000# Attributes/# CheckItems/#Configuring the .tcl Script on the ARS RADIUS Server: Example
The following example configures the .tcl script to be the OutgoingScript of the service that has been created:
Name = check-infoDescription =Type = localIncomingScript~ =OutgoingScript~ = checkConnect-InfoOutagePolicy~ = RejectAllOutageScript~ =UserList = dialin-usersAdditional References
The following sections provide references related to the L2TP Tunnel Connection Speed Labeling feature:
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This feature uses no new or modified commands. All commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
