Table Of Contents
Configuring the Managed IPv6 Layer 2 Tunnel Protocol Network Server
Finding Feature Information
Contents
Prerequisites for Configuring the Managed IPv6 LNS
Restrictions for Configuring the Managed IPv6 LNS
Information About Configuring the Managed IPv6 LNS
L2TP Network Server
Tunnel Accounting
How to Configure the Managed LNS
Configuring a VRF on the LNS
Configuring a Virtual Template Interface
Assigning a VRF via the RADIUS Server
Configuring the LNS to Initiate and Receive L2TP Traffic
Limiting the Number of Sessions per Tunnel
Configuring RADIUS Attribute Accept or Reject Lists
Configuring AAA Accounting Using Named Method Lists
Configuring the LNS for RADIUS Tunnel Authentication
Configuring RADIUS Tunnel Authentication Method Lists on the LNS
Configuring AAA Authentication Methods
Configuration Examples for the Managed IPv6 Layer 2 Tunnel Protocol Network Server
Example: Managed IPv6 LNS Configuration
Example: LNS Tunnel Accounting Configuration
Example: Verifying the User Profile on the RADIUS Server
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Feature Information for Configuring Managed IPv6 Layer 2 Tunnel Protocol Network Server
Configuring the Managed IPv6 Layer 2 Tunnel Protocol Network Server
First Published: March 29, 2011
Last Updated: June 24, 2011
This document describes how to enable the Managed IPv6 Layer 2 Tunnel Protocol Network Server feature.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring Managed IPv6 Layer 2 Tunnel Protocol Network Server" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Configuring the Managed IPv6 LNS
•Restrictions for Configuring the Managed IPv6 LNS
•Information About Configuring the Managed IPv6 LNS
•How to Configure the Managed LNS
•Configuration Examples for the Managed IPv6 Layer 2 Tunnel Protocol Network Server
•Additional References
•Feature Information for Configuring Managed IPv6 Layer 2 Tunnel Protocol Network Server
Prerequisites for Configuring the Managed IPv6 LNS
For the router to function as an LNS, you must enable Authentication, Authorization, and Accounting (AAA) on the Layer 2 Tunnel Protocol Network Server (LNS) and the Layer 2 Access Concentrator (LAC), by entering the aaa new-model global configuration command. For more information, see the "Authentication, Authorization, and Accounting" chapter in the Cisco IOS XE Security: Securing User Services Configuration Guide.
Restrictions for Configuring the Managed IPv6 LNS
Only PPP session termination into Virtual Routing and Forwarding (VRF)-lite is supported. PPP session termination into an Multiprotocol Label Switching (MPLS)-VPN is not supported.
Information About Configuring the Managed IPv6 LNS
•L2TP Network Server
•Tunnel Accounting
L2TP Network Server
The router can function as an LNS. The LNS is a peer to the LAC and sits on one side of an L2TP tunnel. The LNS routes packets to and from the LAC and a destination network. When the router functions as an LNS, you can configure the router to terminate the PPP sessions and route the client IP packets onto the ISP or corporate network toward their final destination (see Figure 1). The router can use the Managed IPv6 LNS feature to terminate L2TP sessions from the LAC and place each session into the appropriate IPv6 VRF instance based on the VRF applied to the virtual template interface or alternatively, based on the VRF received for the user through AAA. The router then routes each session within the VRF to the destination network.
Figure 1 Terminating and Forwarding Sessions from the LAC
Tunnel Accounting
The tunnel accounting feature enhances AAA accounting by adding the ability to include tunnel-related statistics in the RADIUS information. Before you can collect tunnel usage information, you must configure the following attributes on the RADIUS server:
•Acct-Tunnel-Connection—Specifies the identifier assigned to the tunnel session. This attribute and the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint attributes provide a way to uniquely identify a tunnel session for auditing purposes.
•Acct-Tunnel-Packets-Lost—Specifies the number of packets lost on a given link.
Table 1 describes the values for the Acct-Status-Type attribute that support tunnel accounting on the RADIUS server.
Table 1 Acct-Status-Type Values for RADIUS Tunnel Accounting
Acct-Status-Type Values
|
Value
|
Description
|
Tunnel-Link-Reject
|
14
|
Marks the rejection of the establishment of a new link in an existing tunnel.
|
Tunnel-Link-Start
|
12
|
Marks the creation of a tunnel link within an L2TP tunnel that carries multiple links.
|
Tunnel-Link-Stop
|
13
|
Marks the destruction of a tunnel link within an L2TP tunnel that carries multiple links.
|
Tunnel-Reject
|
11
|
Marks the rejection of the establishment of a tunnel with another device.
|
Tunnel-Start
|
9
|
Marks the establishment of a tunnel with another device.
|
Tunnel-Stop
|
10
|
Marks the destruction of a tunnel to or from another device.
|
For more information about the RADIUS tunnel accounting attributes or the Acct-Status-Type values that support RADIUS tunnel accounting, see RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support.
For information about RADIUS accounting attributes supported on the Cisco ASR 1000 Series Aggregation Services Routers, see the "RADIUS Attributes" chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services.
For more information on configuring RADIUS, see your RADIUS user documentation.
How to Configure the Managed LNS
•Configuring a VRF on the LNS (required)
•Configuring a Virtual Template Interface (required)
•Assigning a VRF via the RADIUS Server (optional)
•Configuring the LNS to Initiate and Receive L2TP Traffic (required)
•Limiting the Number of Sessions per Tunnel (optional)
•Configuring RADIUS Attribute Accept or Reject Lists (optional)
•Configuring AAA Accounting Using Named Method Lists (optional)
•Configuring the LNS for RADIUS Tunnel Authentication (optional)
Configuring a VRF on the LNS
SUMMARY STEPS
1. enable
2. configure terminal
3. vrf definition vrf-name
4. rd route-distinguisher
5. address-family {ipv4 | ipv6}
6. route-target {import | export | both} route-target-ext-community
7. exit-address-family
8. address-family {ipv4 | ipv6}
9. route-target {import | export | both} route-target-ext-community
10. end
11. show ipv6 route vrf vrf-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enters privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
vrf definition vrf-name
Example:
Router(config)# vrf definition vrf1
|
Configures a VRF routing table and enters VRF configuration mode.
•The vrf-name argument is the name of the VRF.
|
Step 4
|
rd route-distinguisher
Example:
Router(config-vrf)# rd 100:1
|
Creates routing and forwarding tables for a VRF.
•The route-distinguisher argument adds an 8-byte value to an IPv4 prefix to create a VPN IPv4 prefix. You can enter a route distinguisher in either of these formats:
–16-bit autonomous system number (ASN): your 32-bit number
For example, 101:3.
–32-bit IP address: your 16-bit number
For example, 192.168.122.15:1.
|
Step 5
|
address-family {ipv4 | ipv6}
Example:
Router(config-vrf) address-family ipv6
|
Enters VRF address family configuration mode to specify an address family for a VRF.
•The ipv4 keyword specifies an IPv4 address family for a VRF.
•The ipv6 keyword specifies an IPv6 address family for a VRF.
|
Step 6
|
route-target {import | export | both}
route-target-ext-community
Example:
Router(config-vrf-af) route-target both 100:2
|
Creates a route-target extended community for a VRF.
•The import keyword imports routing information from the target VPN extended community.
•The export keyword exports routing information to the target VPN extended community.
•The both keyword imports both import and export routing information to the target VPN extended community.
•The route-target-ext-community argument adds the route-target extended community attributes to the VRF list of import, export, or both (import and export) route-target extended communities.
|
Step 7
|
exit-address-family
Example:
Router(config-vrf-af)# exit-address-family
|
Exits VRF address family configuration mode and enters VRF configuration mode.
|
Step 8
|
address-family {ipv4 | ipv6}
Example:
Router(config-vrf) address-family ipv6
|
Enters VRF address family configuration mode to specify an address family for a VRF.
•The ipv4 keyword specifies an IPv4 address family for a VRF.
•The ipv6 keyword specifies an IPv6 address family for a VRF.
|
Step 9
|
route-target {import | export | both}
route-target-ext-community
Example:
Router(config-vrf-af)# route-target both 100:3
|
Creates a route-target extended community for a VRF.
•The import keyword specifies to import routing information from the target VPN extended community.
•The export keyword specifies to export routing information to the target VPN extended community.
•The both keyword specifies to import both import and export routing information to the target VPN extended community.
•The route-target-ext-community argument adds the route-target extended community attributes to the VRF list of import, export, or both (import and export) route-target extended communities.
•Enter the route-target command one time for each target community.
|
Step 10
|
end
Example:
Router(config-vrf-af)# end
|
Exits VRF address family configuration mode and returns to privileged EXEC mode.
|
Step 11
|
show ipv6 route vrf vrf-name
Example:
Router# show ipv6 route vrf vrf1
|
Displays the IPv6 routing table associated with a VRF.
|
Configuring a Virtual Template Interface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface virtual-template number
4. vrf forwarding name
5. ppp authentication chap
6. end
7. show interfaces virtual-access number [configuration]
8. debug ppp chap
9. debug ppp negotiation
10. debug ppp negotiation chap
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enters privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface virtual-template number
Example:
Router(config)# interface virtual-template 1
|
Creates a virtual template interface and enters interface configuration mode.
|
Step 4
|
vrf forwarding name
Example:
Router(config-if)# vrf forwarding vpn-1
|
(Optional) Maps the virtual template interface to a VRF routing table.
Note If the VRF assignment is received via the RADIUS server, then this step is not required.
|
Step 5
|
ppp authentication chap
Example:
Router(config-if)# ppp authentication chap
|
Enables CHAP authentication on the virtual template interface, which is applied to virtual access interfaces (VAI).
|
Step 6
|
end
Example:
Router(config-if)# end
|
Exits interface configuration mode and returns to privileged EXEC mode.
|
Step 7
|
show interfaces virtual-access number
[configuration]
Example:
Router# show interfaces virtual-access number
[configuration]
|
Displays status, traffic data, and configuration information about the VAI you specify.
|
Step 8
|
debug ppp chap
Example:
Router# debug ppp chap
|
Displays authentication protocol messages for Challenge Authentication Protocol (CHAP) packet exchanges.
•This command is useful when a CHAP authentication failure occurs due to a configuration mismatch between devices. Verifying and correcting any username and password mismatch resolves the problem.
|
Step 9
|
debug ppp negotiation
Example:
Router# debug ppp negotiation
|
Displays information on traffic and exchanges in an internetwork implementing PPP.
|
Step 10
|
debug ppp negotiation chap
Example:
Router# debug ppp negotiation chap
|
Deciphers a CHAP negotiation problem due to a connectivity problem between a Cisco and non-Cisco device.
|
Assigning a VRF via the RADIUS Server
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization configuration method-name group group-name
4. ipv6 dhcp pool poolname
5. prefix-delegation aaa [method-list method-list]
6. dns-server ipv6-address
7. exit
8. interface virtual-template number
9. ipv6 nd prefix framed-ipv6-prefix
10. ipv6 dhcp server pool-name rapid-commit
11. end
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enters privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa authorization configuration method-name
group group-name
Example:
Router(config)# aaa authorization configuration
DHCPv6-PD group DHCPv6-PD-RADIUS
|
Downloads configuration information from the AAA server using RADIUS.
|
Step 4
|
ipv6 dhcp pool pool-name
Example:
Router(config)# ipv6 dhcp pool DHCPv6-PD
|
Configures a DHCP for IPv6 configuration information pool and enters DHCP for IPv6 pool configuration mode.
|
Step 5
|
prefix-delegation aaa [method-list method-list]
Example:
Router(config-dhcpv6)# prefix-delegation aaa
method-list DHCPv6-PD
|
Specifies that prefixes are to be acquired from AAA servers.
|
Step 6
|
dns-server ipv6-address
Example:
Router(config-dhcpv6)# dns-server
2001:0DB8:3000:3000::42
|
Specifies the Domain Name System (DNS) IPv6 servers available to a DHCP for IPv6 client.
|
Step 7
|
exit
Example:
Router(config-dhcpv6)# exit
|
Exits DHCP for IPv6 pool configuration mode and enters global configuration mode.
|
Step 8
|
interface virtual-template number
Example:
Router(config)# interface virtual-template 1
|
Creates a virtual template interface that can be configured and applied dynamically in creating VAIs, and enters interface configuration mode.
|
Step 9
|
ipv6 nd prefix framed-ipv6-prefix
Example:
Router(config-if)# ipv6 nd prefix
framed-ipv6-prefix
|
Adds the prefix in a received RADIUS framed IPv6 prefix attribute to the interface's neighbor discovery prefix queue.
|
Step 10
|
ipv6 dhcp server pool-name rapid-commit
Example:
Router(config-if)# ipv6 dhcp server DHCPv6-PD
rapid-commit
|
Enables DHCPv6 on an interface.
|
Step 11
|
end
Example:
Router(config-if)# end
|
Exits interface configuration mode and returns to privileged EXEC mode.
|
Configuring the LNS to Initiate and Receive L2TP Traffic
SUMMARY STEPS
1. enable
2. configure terminal
3. vpdn enable
4. vpdn-group group-name
5. accept-dialin
6. protocol 12tp
7. virtual-template template-number
8. exit
9. terminate-from hostname hostname
10. end
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enters privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
vpdn enable
Example:
Router(config)# vpdn enable
|
Enables VPDN networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway) if one is present.
|
Step 4
|
vpdn-group group-name
Example:
Router(config)# vpdn-group group1
|
Defines a local group name for which you can assign other VPDN variables.
•Enters VPDN group configuration mode.
|
Step 5
|
accept-dialin
Example:
Router(config-vpdn)# accept-dialin
|
Configures the LNS to accept tunneled PPP connections from the LAC and creates an accept-dialin VPDN subgroup.
•Enters accept dial-in VPDN subgroup configuration mode.
|
Step 6
|
protocol 12tp
Example:
Router(config-vpdn-acc-in)# protocol 12tp
|
Specifies the Layer 2 Tunnel Protocol.
|
Step 7
|
virtual-template template-number
Example:
Router(config-vpdn-acc-in)# virtual-template 1
|
Specifies the virtual template to be used to clone VAIs.
|
Step 8
|
exit
Example:
Router(config-vpdn-acc-in)# exit
|
Returns to VPDN group configuration mode.
|
Step 9
|
terminate-from hostname hostname
Example:
Router(config-vpdn)# terminate-from hostname
lac1-vpn1
|
Specifies the hostname of the remote LAC that is required when accepting a VPDN tunnel.
|
Step 10
|
end
Example:
Router(config-vpdn)# end
|
Exits VPDN configuration mode and returns to privileged EXEC mode.
|
Limiting the Number of Sessions per Tunnel
SUMMARY STEPS
1. enable
2. configure terminal
3. vpdn-group group-name
4. accept-dialin
5. protocol 12tp
6. virtual-template template-number
7. exit
8. terminate-from hostname host-name
9. session-limit limit-number
10. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enters privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
vpdn-group group-name
Example:
Router(config)# vpdn-group group1
|
Defines a local group name for which you can assign other VPDN variables.
•Enters VPDN group configuration mode.
|
Step 4
|
accept-dialin
Example:
Router(config-vpdn)# accept-dialin
|
Configures the LNS to accept tunneled PPP connections from the LAC and creates an accept-dialin VPDN subgroup.
•Enters accept dial-in VPDN subgroup configuration mode.
|
Step 5
|
protocol 12tp
Example:
Router(config-vpdn-acc-in)# protocol 12tp
|
Specifies the Layer 2 Tunnel Protocol.
|
Step 6
|
virtual-template template-number
Example:
Router(config-vpdn-acc-in)# virtual-template 1
|
Specifies the virtual template to be used to clone VAIs.
|
Step 7
|
exit
Example:
Router(config-vpdn-acc-in)# exit
|
Returns to VPDN group configuration mode.
|
Step 8
|
terminate-from hostname host-name
Example:
Router(config-vpdn)# terminate-from hostname
test_LAC
|
Specifies the hostname of the remote LAC that is required when accepting a VPDN tunnel.
|
Step 9
|
session-limit limit-number
Example:
Router(config-vpdn)# session-limit 100
|
Specifies the maximum number of sessions per tunnel.
|
Step 10
|
exit
Example:
Router(config-vpdn)# exit
|
Exits VPDN configuration mode and returns to privileged EXEC mode.
|
Configuring RADIUS Attribute Accept or Reject Lists
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authentication ppp default group group-name
4. aaa authorization network group group group-name
5. aaa group server radius group-name
6. server-private ip-address [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
7. authorization [accept | reject] list-name
8. exit
9. radius-server attribute list listname
10. attribute value1 [value2 [value3...]]
11. end
12. show accounting
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enters privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa authentication ppp default group group-name
Example:
Router(config)# aaa authentication ppp default
group radius_authen1
|
Specifies one or more AAA authentication methods for use on serial interfaces running PPP.
|
Step 4
|
aaa authorization network group group
group-name
Example:
Router(config)# aaa authorization network group
group radius_authen1
|
Sets the parameters that restrict network access to the user.
|
Step 5
|
aaa group server radius group-name
Example:
Router(config)# aaa group server radius
VPDN-Group
|
Groups different RADIUS server hosts into distinct lists and distinct methods and enters server group RADIUS configuration mode.
|
Step 6
|
server-private ip-address [acct-port
port-number] [timeout seconds] [retransmit
retries] [key string]
Example:
Router(config-sg-radius)# server-private
10.1.1.2 acct-port 0 timeout 7 retransmit 3 key
cisco1
|
Configures the IP address of the private RADIUS server for the group server.
•The ip-address argument specifies the IP address of the private RADIUS server host.
•(Optional) The port-number argument specifies the UDP destination port for accounting requests.
•(Optional) The seconds argument specifies the timeout value (1 to 1000).
•(Optional) The retries argument specifies the number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly.
•The string argument specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server.
|
Step 7
|
authorization [accept | reject] list-name
Example:
Router(config-sg-radius)# authorization accept
vpn1-autho-list
|
Specifies a filter for the attributes that are returned in an Access-Accept packet from the RADIUS server.
•The accept keyword indicates that all attributes will be rejected except the attributes specified in the listname argument.
•The reject keyword indicates that all attributes will be accepted except for the attributes specified in the listname argument and all standard attributes.
|
Step 8
|
exit
Example:
Router(config-sg-radius)# exit
|
Exits server group RADIUS configuration mode and enters global configuration mode.
|
Step 9
|
radius-server attribute list listname
Example:
Router(config)# radius-server attribute list
vpn1-autho-list
|
Defines the list name given to the set of attributes defined using the attribute command and enters RADIUS attribute list configuration mode.
•Define the listname argument to be the same as you defined it in step 7.
|
Step 10
|
attribute value1 [value2 [value3...]]
Example:
Router(config-radius-attrl)# attribute 26,200
|
Adds attributes to the configured accept or reject list.
•You can use this command multiple times to add attributes to an accept or reject list.
|
Step 11
|
end
Example:
Router(config-radius-attrl)# end
|
Exits RADIUS attribute list configuration mode and returns to privileged EXEC mode.
|
Step 12
|
show accounting
Example:
Router# show accounting
|
Displays accounting records for users currently logged in.
•Displays active accountable events on the network and helps collect information in the event of a data loss on the accounting server.
|
Configuring AAA Accounting Using Named Method Lists
Note System accounting does not use named method lists. For system accounting you can define only the default method list. For more information, see the "Configuring Accounting" chapter in the
Cisco IOS XE Security Configuration Guide: Securing User Services.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa accounting network list-name start-stop group radius
4. line [aux | console | vty] [line-number]
5. accounting {arap | commands level | connection | exec | resource} [default | list-name]
6. end
7. debug aaa accounting
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enters privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa accounting network list-name start-stop
group radius
Example:
Router(config)# aaa accounting network
methodlist start-stop group radius
|
Creates an accounting method list and enables accounting.
|
Step 4
|
line [aux | console | vty] [line-number]
Example:
Router(config)# line console 0
|
Enters line configuration mode for the line to which you want to apply the accounting method list.
|
Step 5
|
accounting {arap | commands level | connection
| exec | resource} [default | list-name]
Example:
Router(config-line)# accounting commands 15
list1
|
Applies the accounting method list to a line or a set of lines.
|
Step 6
|
end
Example:
Router(config-line)# end
|
Exits line configuration mode and returns to privileged EXEC mode.
|
Step 7
|
debug aaa accounting
Example:
Router# debug aaa accounting
|
Displays information on accountable events as they occur.
|
Configuring the LNS for RADIUS Tunnel Authentication
Perform the following tasks to configure LNS for RADIUS Tunnel Authentication:
•Configuring RADIUS Tunnel Authentication Method Lists on the LNS (required)
•Configuring AAA Authentication Methods (required)
Note Cisco ASR 1000 Series Aggregation Services Routers supports L2TP tunnel authorization. However, RADIUS does not provide attributes for such parameter values as L2TP tunnel timeouts, L2TP tunnel hello intervals, and L2TP tunnel receive window size. When the Cisco ASR 1000 Series Aggregation Services Router does not receive a RADIUS attribute for a parameter, the router uses the default value.
Configuring RADIUS Tunnel Authentication Method Lists on the LNS
To configure method lists on the LNS for RADIUS tunnel authentication, perform the following task.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization network list-name method1 [method2...]
4. vpdn tunnel authorization network method-list-name
5. vpdn tunnel authorization virtual-template vtemplate-number
6. vpdn tunnel authorization password dummy-password
7. end
8. debug aaa authorization
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enters privileged EXEC mode.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa authorization network list-name
method1 [method2...]
Example:
Router(config)# aaa authorization network
mymethodlist group VPDN-Group
|
Sets parameters that restrict user access to a network
•The list-name argument is a character string used to name the list of authentication methods tried when a user logs in.
–group radius—Uses the list of all RADIUS servers for authentication.
–group group-name—Uses a subset of RADIUS servers for authentication as defined by the aaa group server radius command.
–if-authenticated—Succeeds if user has been successfully authenticated.
–local—Uses the local username database for authentication.
–none—Uses no authentication.
Note The method list is only for VPDN tunnel authorization and termination, not for domain and Digital Number Identification Service (DNIS) authorization. Therefore, the method list applies only on the tunnel terminator device—the LAC for dialout sessions and the LNS for dialin sessions.
|
Step 4
|
vpdn tunnel authorization network
method- list-name
Example:
Router(config)# vpdn tunnel authorization
network mymethodlist
|
Specifies the AAA method list to use for VPDN remote tunnel hostname-based authorization.
•If you do not specify a method list (including a default method list) by using the vpdn tunnel authorization network command, local authorization occurs by using the local VPDN group configuration.
|
Step 5
|
vpdn tunnel authorization
virtual-template vtemplate-number
Example:
Router(config)# vpdn tunnel authorization
virtual-template 10
|
Specifies the default virtual template interface used to clone a VAI.
•If you do not specify a virtual template interface in the local VPDN group configuration or in a remote RADIUS configuration, then the default virtual template interface is used.
Note The vpdn tunnel authorization virtual-template command is applicable only on the LNS.
|
Step 6
|
vpdn tunnel authorization password
dummy-password
Example:
Router(config)# vpdn tunnel authorization
password mypassword
|
Specifies the password to use for the RADIUS authorization request to retrieve the tunnel configuration based on the remote tunnel hostname.
•By default, the password is cisco, but you can configure a different password.
Note The vpdn tunnel authorization password command is applicable on both the LAC and LNS.
|
Step 7
|
end
Example:
Router(config)# end
|
Exits global configuration mode and returns to privileged EXEC mode.
|
Step 1
|
debug aaa authorization
Example:
Router# debug aaa authorization
|
Displays information on AAA authorization.
|
DETAILED STEPS
Configuring AAA Authentication Methods
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. Configure RADIUS security protocol parameters.
5. aaa authentication
6. Apply the authentication to method lists to an interface.
7. end
DETAILED STEPS
Step 1 enable
Step 2 configure terminal
Step 3 aaa new-model
Enter this command in global configuration mode to enable AAA.
Step 4 Configure RADIUS security protocol parameters. For more information about RADIUS, see the "Configuring RADIUS" chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services.
Step 5 aaa authentication
Enter this command to define the authentication method lists.
Step 6 Apply the authentication method lists to an interface, a line, or a set of lines as required. For more information about authentication method lists, see the "Configuring Authentication" chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services.
Step 7 end
Configuration Examples for the Managed IPv6 Layer 2 Tunnel Protocol Network Server
•Example: Managed IPv6 LNS Configuration
•Example: LNS Tunnel Accounting Configuration
•Example: Verifying the User Profile on the RADIUS Server
Example: Managed IPv6 LNS Configuration
The following example shows how to configure Managed IPv6 LNS features on the router. In this example, the router terminates the tunnel from the LAC and associates the VRFs with the interfaces and the virtual template interfaces. This configuration also shows how to configure RADIUS attribute screening and AAA accounting for the VRFs.
logging buffered 10000000
aaa group server radius radius_authen1
server-private 10.1.1.2 acct-port 0 timeout 7 retransmit 3 key cisco1
ip radius source-interface Loopback20000
aaa authentication login default none
aaa authentication ppp default group radius_authen1
aaa authorization network default group radius_authen1
aaa authorization configuration DHCPv6-PD group radius_authen1
aaa policy interface-config allow-subinterface
ip host mcp-matrix 10.0.0.2
ip host mcp-sun-2 10.0.0.2
ipv6 dhcp binding track ppp
ipv6 dhcp pool ipv6_dhcp_pool1
prefix-delegation aaa method-list DHCPv6-PD
multilink bundle-name authenticated
terminate-from hostname test_LAC1
l2tp tunnel password 0 tunnel1
l2tp tunnel receive-window 100
l2tp tunnel timeout no-session 30
l2tp tunnel retransmit retries 7
l2tp tunnel retransmit timeout min 2
username asifp1@test1 password 0 hello1
ip tftp source-interface GigabitEthernet 0
ip address 209.165.202.131 255.255.255.224
interface GigabitEthernet1/1/0
mac-address 8888.8888.8888
interface GigabitEthernet1/1/0.1
ip address 209.165.202.132 255.255.255.224
interface GigabitEthernet1/1/1
mac-address 4444.4444.4444
interface GigabitEthernet1/1/1.1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
interface GigabitEthernet1/1/5
interface GigabitEthernet1/1/6
interface GigabitEthernet1/1/7
description Connected to RADIUS
ip address 209.165.201.1 255.255.255.224
interface GigabitEthernet1/3/0
interface GigabitEthernet1/3/1
interface GigabitEthernet 0
ip address 209.165.201.1 255.255.255.224
interface Virtual-Template 1
no logging event link-status
ipv6 dhcp server ipv6_dhcp_pool1 rapid-commit
ip default-gateway 10.1.0.5
ip route vrf Mgmt-intf 209.165.201.1 255.255.255.254 172.16.1.1
ip route vrf Mgmt-intf 209.165.201.29 255.255.255.224 172.16.0.1
ip radius source-interface GigabitEthernet1/1/7
ipv6 route vrf user_vrf1 ::/0 12::2
ipv6 neighbor 12::2 GigabitEthernet1/1/1.1 2222.2222.2222
alias exec call show caller summ
alias exec caller show caller summ
alias exec palt show plat
alias exec plat show platform
alias exec evsi sho plat hard cpp act feat ess stat
exception data-corruption buffer truncate
Example: LNS Tunnel Accounting Configuration
The following example shows how to configure the LNS to send tunnel accounting records to the RADIUS server:
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
enable secret 5 $1$ftf.$wE6Q5Yv6hmQiwL9pizPCg1
username ENT_LNS password 0 tunnelpass
username user1@example.com password 0 lab
username user2@example.com password 0 lab
firmware location system:/ucode/mica_port_firmware
firmware location system:/ucode/mica_port_firmware
ip host CALLGEN-SECURITY-V2 10.24.80.28 10.47.0.0
ip host dirt 172.16.1.129
vpdn tunnel accounting network m1
vpdn session accounting network m1
terminate-from hostname ISP_LAC
isdn switch-type primary-5ess
mta receive maximum-recipients 0
ip address 172.16.0.101 255.255.255.0
ip address 192.168.0.101 255.255.255.0
ip address 10.1.26.71 255.255.255.0
interface virtual-template 1
peer default ip address pool vpdn-pool1
interface virtual-template 2
peer default ip address pool vpdn-pool2
ip local pool vpdn-pool1 172.16.5.1 172.16.128.100
ip local pool vpdn-pool2 10.0.0.1 10.0.0.100
ip default-gateway 10.1.26.254
ip route 0.0.0.0 0.0.0.0 10.1.26.254
ip route 192.168.1.2 255.255.255.255 10.1.26.254
dialer-list 1 protocol ip permit
radius-server host 172.16.192.80 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
Note For additional accounting examples, see the "Configuring Accounting" chapter in the Cisco IOS XE Security: Secure Services Configuration Guide.
Example: Verifying the User Profile on the RADIUS Server
The following is an example user profile on the RADIUS server. The Cisco ASR 1000 Series Aggregation Services Routers retrieves the information in the user profile from the RADIUS server.
Auth-Type = Local, User-Password = "pwd"
User-Service-Type = Framed-User
cisco-avpair = "lcp:interface-config=vrf forwarding VRF01"
cisco-avpair = "lcp:interface-config=ipv6 unnumbered loopback1"
Framed-IPv6-Prefix = "2001:DB8:4567:1234::/64"
Delegated-IPv6-Prefix = "2001:DB8:AAAA::/48"
Additional References
Related Documents
Standards
Standard
|
Title
|
No new or modified standards are supported, and support for existing standards has not been modified.
|
—
|
MIBs
MIB
|
MIBs Link
|
No new or modified MIBs are supported, and support for existing MIBs has not been modified.
|
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
|
RFCs
RFC
|
Title
|
RFC 2867
|
RADIUS Accounting Modifications for Tunnel Protocol Support
|
Technical Assistance
Description
|
Link
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
|
http://www.cisco.com/cisco/web/support/index.html
|
Feature Information for Configuring Managed IPv6 Layer 2 Tunnel Protocol Network Server
Table 2 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 2 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Table 2 Feature Information for Managed IPv6 Layer 2 Tunnel Protocol Network Server
Feature Name
|
Releases
|
Feature Information
|
Managed IPv6 Layer 2 Tunnel Protocol Network Server
|
Cisco IOS XE
Release 3.3S
|
The Managed IPv6 LNS feature allows the service provider to offer a scalable end-to-end VPN of both IPv4 and IPv6 service to remote users. This feature integrates the Multiprotocol Label Switching (MPLS)-enabled backbone with broadband access capabilities.
The following sections provide information about this feature:
•L2TP Network Server
The following commands were introduced or modified:
atm pppatm passive, radius-server attribute list, radius-server key, radius-server retransmit, radius-server vsa send.
|
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2011 Cisco Systems, Inc. All rights reserved.
Feedback
