Table Of Contents
Configuring NAS-Initiated Dial-In VPDN Tunneling
Prerequisites for Configuring NAS-Initiated Dial-In VPDN Tunneling
Information About NAS-Initiated Dial-In VPDN Tunneling
NAS-Initiated Dial-in VPDN Tunneling
L2TP Calling Station ID Suppression
How to Configure NAS-Initiated Dial-In VPDN Tunneling
Configuring the NAS to Request Dial-In VPDN Tunnels
Configuring the Tunnel Server to Accept Dial-In VPDN Tunnels
Configuring the Virtual Template on the Tunnel Server
Verifying a NAS-Initiated VPDN Configuration
Verifying and Troubleshooting Tunnel Establishment Between the NAS and the Tunnel Server
Verifying the Connection Between the Client and the NAS
Configuring L2TP Calling Station ID Suppression
Prerequisites for Configuring L2TP Calling Station ID Suppression
Configuring Global L2TP Calling Station ID Suppression on the NAS
Configuring L2TP Calling Station ID Suppression for a VPDN Group on the NAS
Configuring L2TP Calling Station ID Suppression on the NAS Remote RADIUS Server
Configuration Examples for NAS-Initiated Dial-In VPDN Tunneling
Configuring the NAS for Dial-In VPDNs: Example
Configuring the Tunnel Server for Dial-in VPDNs: Example
L2TP Calling Station ID Suppression with Local Authorization: Example
L2TP Calling Station ID Suppression with RADIUS Authorization: Example
Feature Information for NAS-Initiated Dial-In VPDN Tunneling
Configuring NAS-Initiated Dial-In VPDN Tunneling
This module describes how to configure network access server (NAS)-initiated dial-in virtual private dialup networking (VPDN) tunneling. NAS-initiated dial-in tunneling provides secure tunneling of a PPP session from a NAS to a tunnel server without any special knowledge or interaction required from the client.
All of the tasks documented in this module require that tasks documented elsewhere in the have first been completed.
Module History
This module was first published on May 2, 2005, and last updated on October 31, 2008.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the "Feature Information for NAS-Initiated Dial-In VPDN Tunneling" section.
Contents
•
Prerequisites for Configuring NAS-Initiated Dial-In VPDN Tunneling
•
•
•
•
Prerequisites for Configuring NAS-Initiated Dial-In VPDN Tunneling
•
•
Information About NAS-Initiated Dial-In VPDN Tunneling
Before performing the tasks in this module, you should understand the following concepts:
•
•
NAS-Initiated Dial-in VPDN Tunneling
NAS-initiated dial-in VPDN tunneling is also known as compulsory tunneling. In NAS-initiated dial-in VPDN tunneling, the client dials in to the NAS through a medium that supports PPP. If the connection from the client to the Internet service provider (ISP) NAS is over a medium that is considered secure, such as DSL, ISDN, or the PSTN, the client may choose not to provide additional security. The PPP session is securely tunneled from the NAS to the tunnel server without any special knowledge or interaction required from the client. NAS-initiated dial-in VPDN tunnels can use either the Layer 2 Tunneling Protocol (L2TP) or the Layer 2 Forwarding (L2F) protocol.
A NAS-initiated dial-in tunneling scenario is shown in Figure 1.
Figure 1
NAS-Initiated Dial-In VPDN Scenario
L2TP Calling Station ID Suppression
In a NAS-initiated dial-in L2TP tunneling scenario, when the NAS connects to a tunnel server it transfers numerous attribute-value (AV) pairs as part of the session setup process. One of these AV pairs is L2TP AV pair 22, the Calling Number ID. The Calling Number ID AV pair includes the calling station ID of the originator of the session, which can be the phone number of the originator, the Logical Line ID (LLID) used to make the connection on the LAC, or the MAC address of the PC connecting to the network. This information can be considered sensitive in cases where the NAS and tunnel server are being managed by different entities. Depending on the security requirements of the NAS or end users, it may be desirable for the NAS to suppress part or all of the calling station ID.
Beginning in Cisco IOS Release 12.4(2)T, parts of the calling station ID can be masked, or the calling station ID can be removed completely. Calling station ID suppression can be configured globally on the NAS, for individual VPDN groups on the NAS, or on the remote RADIUS server if one is configured.
L2TP Failover
If a NAS fails to contact its peer during L2TP tunnel establishment, it can fail over to another configured tunnel server and attempt tunnel establishment with that device.
Failover can occur in the following scenarios:
•
•
•
In both the StopCCN control message and the CDN control message, a Result Code AV pair is included, which indicates the reason for tunnel or session termination, respectively. This AV pair may also include an optional Error Code, which further describes the nature of the termination. The various Result Code and Error Code values have been standardized in RFC 2661. Failover will occur if the combination of Result Code and Error Code values as defined in Table 1 is received from the peer.
Table 1 Defined Result and Error Codes from RFC 2661
StopCCN, CDN
2: General error, see Error Code.
4: Insufficient resources to handle this operation now.
6: A generic vendor-specific error occurred.1
7: Try another.
9: Try another directed.
CDN
4: Temporary lack of resources.
—
1 For failover, this error code would be accompanied by a vendor-specific error AVP in the error message—in this case containing the Cisco vendor code (SMI_CISCO_ENTERPRISE_CODE) and a Cisco error code (L2TP_VENDOR_ERROR_SLIMIT).
When one of these three scenarios occurs, the router will mark the peer IP address as busy for 60 seconds by default. During that time no attempt will be made to establish a session or tunnel with the peer. The router will select an alternate peer to contact if one is configured. If a tunnel already exists to the alternate peer, new sessions will be brought up in the existing tunnel. Otherwise, the router will begin negotiations to establish a tunnel to the alternate peer.
How to Configure NAS-Initiated Dial-In VPDN Tunneling
In a NAS-initiated dial-in VPDN scenario, when a dial-in user requests contact with a remote network, the NAS must request the establishment of a VPDN tunnel to the tunnel server at the remote network. The tunnel server must be configured to accept the VPDN tunnels the NAS requests, and a virtual template interface must be established from which the tunnel server can clone a virtual access interface on demand.
Perform the following tasks to configure the NAS and the tunnel server for NAS-initiated dial-in VPDN tunneling:
•
•
•
•
•
Configuring the NAS to Request Dial-In VPDN Tunnels
The NAS must be configured to request tunnel establishment with the remote tunnel server. Perform this task on the NAS to configure a VPDN request dial-in subgroup and the IP address of the tunnel server that will be the other endpoint of the VPDN tunnel.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
or
dnis {dnis-number | dnis-group-name}8.
9.
10.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
Router(config)# vpdn-group 1
Creates a VPDN group and enters VPDN group configuration mode.
Step 4
Router(config-vpdn)# description myvpdngroup
(Optional) Adds a description to a VPDN group.
Step 5
request-dialin
Example:Router(config-vpdn)# request-dialinConfigures a NAS to request the establishment of an L2F or L2TP tunnel to a tunnel server, creates a request-dialin VPDN subgroup, and enters VPDN request dial-in subgroup configuration mode.
Step 6
protocol {any | l2f | l2tp}
Example:Router(config-vpdn-req-in)# protocol l2tp
Specifies the Layer 2 protocol that the VPDN group will use.
•
Step 7
domain domain-name
or
dnis {dnis-number | dnis-group-name}
Example:Router(config-vpdn-req-in)# domain example.comor
Router(config-vpdn-req-in)# dnis 5687
Requests that PPP calls from a specific domain name be tunneled.
or
Requests that PPP calls from a specific Dialed Number Identification Service (DNIS) number or DNIS group be tunneled.
Step 8
exit
Example:Router(config-vpdn-req-in)# exit
Exits to VPDN group configuration mode.
Step 9
initiate-to ip ip-address [limit limit-number] [priority priority-number]
Example:Router(config-vpdn)# initiate-to ip 10.1.1.1 limit 12Specifies an IP address that will be used for Layer 2 tunneling.
•
–
–
Note
•
Step 10
l2f ignore-mid-sequence
Example:Router(config-vpdn)# l2f ignore-mid-sequence
(Optional) Ignores multiplex ID (MID) sequence numbers for sessions in an L2F tunnel.
•
•
What to Do Next
You must perform the task in the "Configuring the Tunnel Server to Accept Dial-In VPDN Tunnels" section.
Configuring the Tunnel Server to Accept Dial-In VPDN Tunnels
The tunnel server must be configured to accept tunnel requests from the remote NAS. Perform this task on the tunnel server to create a VPDN accept dial-in subgroup and to configure the tunnel server to accept tunnels from the NAS that will be the other endpoint of the VPDN tunnel. To configure the tunnel server to accept tunnels from multiple NASs, you must perform this task for each NAS.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
What to Do Next
You must perform the task in the "Configuring the Virtual Template on the Tunnel Server" section.
Configuring the Virtual Template on the Tunnel Server
When a request to establish a tunnel is received by the tunnel server, the tunnel server must create a virtual access interface. The virtual access interface is cloned from a virtual template interface, used, and then freed when no longer needed. The virtual template interface is a logical entity that is not tied to any physical interface.
Perform this task on the tunnel server to configure a basic virtual template. For more detailed information about all of the configuration options available for a virtual template, see the "Configuring Virtual Template Interfaces" section of the Cisco IOS Dial Technologies Configuration Guide, Release 12.4.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
What to Do Next
•
•
Verifying a NAS-Initiated VPDN Configuration
Perform the following tasks to verify or troubleshoot a NAS-initiated dial-in VPDN configuration:
•
•
Verifying and Troubleshooting Tunnel Establishment Between the NAS and the Tunnel Server
Perform this task to verify that a tunnel between the NAS and the tunnel server has been established, and to troubleshoot problems with tunnel establishment.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
Enter this command to enable privileged EXEC mode. Enter your password if prompted:
Router> enableStep 2
Enter this command to display details about all active VPDN tunnels. This example shows output from a tunnel server with a single active L2F tunnel:
Router# show vpdn tunnel all% No active L2TP tunnelsL2F TunnelNAS name: ISP-NASNAS CLID: 36NAS IP address 172.22.66.23Gateway name: ENT-TSGateway CLID: 1Gateway IP address 172.22.66.25State: openPackets out: 52Bytes out: 1799Packets in: 100Bytes in: 7143If no active tunnels have been established with the NAS, proceed with the following steps to troubleshoot the problem.
Step 3
Enter this command to ping the NAS. The following output shows the result of a successful ping from the tunnel server to the NAS:
Router# ping 172.22.66.25Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.30.2.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 128/132/152 msIf the tunnel server is unable to ping the NAS, there may be a problem with the routing path between the devices, or the NAS may not be functional.
Step 4
Enter the debug vpdn event command to display the VPDN events that occur during tunnel establishment. For complete field descriptions of these debug messages, refer to the debug vpdn command documentation in the Cisco IOS Debug Command Reference, Release 12.4T.
The following output from the tunnel server shows normal VPDN tunnel establishment for an L2F tunnel:
Router# debug vpdn eventL2F: Chap authentication succeeded for nas1.Virtual-Access3 VPN Virtual interface created for user6@cisco.comVirtual-Access3 VPN Set to Async interfaceVirtual-Access3 VPN Clone from Vtemplate 1 block=1 filterPPP=0%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to upVirtual-Access3 VPN Bind interface direction=2Virtual-Access3 VPN PPP LCP accepted sent & rcv CONFACK%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to upThe following output from the tunnel server shows normal VPDN tunnel establishment for an L2TP tunnel:
Router# debug vpdn event20:19:17: L2TP: I SCCRQ from ts1 tnl 820:19:17: L2X: Never heard of ts120:19:17: Tnl 7 L2TP: New tunnel created for remote ts1, address 172.21.9.420:19:17: Tnl 7 L2TP: Got a challenge in SCCRQ, ts120:19:17: Tnl 7 L2TP: Tunnel state change from idle to wait-ctl-reply20:19:17: Tnl 7 L2TP: Got a Challenge Response in SCCCN from ts120:19:17: Tnl 7 L2TP: Tunnel Authentication success20:19:17: Tnl 7 L2TP: Tunnel state change from wait-ctl-reply to established20:19:17: Tnl 7 L2TP: SM State established20:19:17: Tnl/Cl 7/1 L2TP: Session FS enabled20:19:17: Tnl/Cl 7/1 L2TP: Session state change from idle to wait-for-tunnel20:19:17: Tnl/Cl 7/1 L2TP: New session created20:19:17: Tnl/Cl 7/1 L2TP: O ICRP to ts1 8/120:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-for-tunnel to wait-connect20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-connect to established20:19:17: Vi1 VPDN: Virtual interface created for bum1@cisco.com20:19:17: Vi1 VPDN: Set to Async interface20:19:17: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking20:19:18: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up20:19:18: Vi1 VPDN: Bind interface direction=220:19:18: Vi1 VPDN: PPP LCP accepting rcv CONFACK20:19:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to upStep 5
Enter this command to display error messages that are generated during tunnel establishment. The following output from the NAS shows an authentication failure during tunnel establishment. For complete field descriptions of these debug messages, refer to the debug vpdn command documentation in the Cisco IOS Debug Command Reference, Release 12.4T.
Router# debug vpdn errors%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to down%LINK-5-CHANGED: Interface Async1, changed state to reset%LINK-3-UPDOWN: Interface Async1, changed state to down%LINK-3-UPDOWN: Interface Async1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to upVPDN tunnel management packet failed to authenticateVPDN tunnel management packet failed to authenticateIf an authentication failure occurs, verify that both the NAS and the tunnel server are configured with the same secret password. You may also perform the tasks in the "Verifying L2TP Tunnel Establishment, PPP Negotiations, and Authentication with the Remote Client" section of the "Configuring AAA for VPDNs" module.
Verifying the Connection Between the Client and the NAS
Perform this task to verify the connection between the dial-in client and the NAS.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Step 1
Ensure that the client PC is able to connect to the NAS by establishing a dial-in connection. As the call comes into the NAS, a LINK-3-UPDOWN message automatically appears on the NAS terminal screen. In the following example, the call comes into the NAS on asynchronous interface 14:
*Jan 1 21:22:18.410: %LINK-3-UPDOWN: Interface Async14, changed state to up
Note
If this message is not displayed by the NAS, there is a problem with the dial-in configuration. For more information about configuring and troubleshooting dial-in connections, see the Cisco IOS Dial Technologies Configuration Guide, Release 12.4.
Step 2
Enter this command to enable privileged EXEC mode. Enter your password if prompted:
Router> enableStep 3
Enter this command on the tunnel server to verify that the client received an IP address. The following example shows that user3 is using IP address 172.30.2.1.
Router# show caller user user3@cisco.comUser: user3@cisco.com, line Vi1, service PPP L2F, active 00:01:35PPP: LCP Open, CHAP (<- AAA), IPCPIP: Local 172.22.66.25, remote 172.30.2.1VPDN: NAS ISP-NAS, MID 1, MID openHGW ENT-TS, NAS CLID 36, HGW CLID 1, tunnel openCounts: 105 packets input, 8979 bytes, 0 no buffer0 input errors, 0 CRC, 0 frame, 0 overrun18 packets output, 295 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resetsIf an incorrect IP address or no IP address is displayed, there is a problem with IP addresses assignment. Verify the configuration of the peer default ip address command in the virtual template on the tunnel server.
Step 4
Enter this command to verify that the interface is up, that LCP is open, and that no errors are reported. The following output shows a functional interface:
Router# show interfaces virtual-access 1Virtual-Access1 is up, line protocol is upHardware is Virtual Access interfaceInterface is unnumbered. Using address of FastEthernet0/0 (172.22.66.25)MTU 1500 bytes, BW 115 Kbit, DLY 100000 usec,reliablility 255/255, txload 1/255, rxload 1/255Encapsulation PPP, loopback not set, keepalive set (10 sec)DTR is pulsed for 5 seconds on resetLCP OpenOpen: IPCPLast input 00:00:02, output never, output hang neverLast clearing of "show interface" counters 3d00hQueueing strategy: fifoOutput queue 1/40, 0 drops; input queue 0/75, 0 drops5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec114 packets input, 9563 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort27 packets output, 864 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 output buffer failures, 0 output buffers swapped out0 carrier transitionsThe virtual access interface is up and the line protocol is up, showing that virtual interface establishment was successful. For complete field descriptions of these messages or any error messages that appear, refer to the show interfaces virtual-access command documentation in the Cisco IOS VPDN Command Reference, Release 12.4T.
Step 5
Enter this command on the tunnel server to verify that there are active VPDN sessions. This example shows output from a tunnel server with several active L2F and L2TP tunnels. For complete field descriptions of these messages or any error messages that appear, refer to the show vpdn session command documentation in the Cisco IOS VPDN Command Reference, Release 12.4T.
Router# show vpdn sessionL2TP Session Information Total tunnels 1 sessions 4LocID RemID TunID Intf Username State Last Chg Uniq ID4 691 13695 Se0/0 nobody2@cisco.com est 00:06:00 45 692 13695 SSS Circuit nobody1@cisco.com est 00:01:43 86 693 13695 SSS Circuit nobody1@cisco.com est 00:01:43 93 690 13695 SSS Circuit nobody3@cisco.com est 2d21h 3L2F Session Information Total tunnels 1 sessions 2CLID MID Username Intf State Uniq ID1 2 nobody@cisco.com SSS Circuit open 101 3 nobody@cisco.com SSS Circuit open 11If there is no session established for the client, you should perform the troubleshooting steps in the "Verifying and Troubleshooting Tunnel Establishment Between the NAS and the Tunnel Server" section.
Configuring L2TP Calling Station ID Suppression
In a NAS-initiated dial-in L2TP tunneling scenario, when a NAS connects to a tunnel server it transfers numerous AV pairs as part of the session setup process. One of these AV pairs is L2TP AV pair 22, the Calling Number ID. The Calling Number ID AV pair includes the calling station ID of the originator of the session, which can be the phone number of the originator, the LLID used to make the connection on the LAC, or the MAC address of the PC connecting to the network. This information can be considered sensitive in cases where the NAS and tunnel server are being managed by different entities. Depending on the security requirements of the NAS or end users, it may be desirable for the NAS to suppress part or all of the calling station ID.
Calling station ID suppression can be configured globally on the NAS, for individual VPDN groups on the NAS, or on the remote RADIUS server if one is configured.
The order of precedence for L2TP calling station ID suppression configurations is as follows:
•
•
•
Perform one or more of the following tasks to configure L2TP calling station ID suppression:
•
•
•
Prerequisites for Configuring L2TP Calling Station ID Suppression
•
•
•
•
•
Configuring Global L2TP Calling Station ID Suppression on the NAS
The calling station ID information included in L2TP AV pair 22 can be removed or masked for every L2TP session established on the router if you configure L2TP calling station ID suppression globally. This configuration is compatible with either local or remote authorization.
Perform this task on the NAS to configure global L2TP calling station ID suppression.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring L2TP Calling Station ID Suppression for a VPDN Group on the NAS
The calling station ID information included in L2TP AV pair 22 can be removed or masked for calls associated with a specific VPDN group. This configuration is compatible with local authorization configurations.
Perform this task on the NAS to configure L2TP calling station ID suppression for calls associated with a particular VPDN group when using local authorization.
Prerequisites
You must configure the NAS and the tunnel server for local authorization when performing the task in the "Configuring AAA on the NAS and the Tunnel Server" section of the "Configuring AAA for VPDNs" module.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring L2TP Calling Station ID Suppression on the NAS Remote RADIUS Server
L2TP calling station ID suppression can be configured directly on the NAS, or in the RADIUS user profile. Configuring L2TP calling station ID suppression in the RADIUS user profile allows the configuration to be propagated to multiple NASs without having to configure each one.
Perform this task on the RADIUS server to configure a user profile that will allow the RADIUS server to instruct NASs to remove or mask the L2TP calling station ID.
Prerequisites
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuration Examples for NAS-Initiated Dial-In VPDN Tunneling
This section contains the following configuration examples:
•
•
•
•
Configuring the NAS for Dial-In VPDNs: Example
The following example configures a NAS named ISP-NAS to tunnel PPP calls to a tunnel server named ENT-TS using L2TP and local authentication and authorization:
! Enable AAA authentication and authorization with RADIUS as the default methodaaa new-modelaaa authentication ppp default radiusaaa authorization network default radius!! Configure the VPDN tunnel authentication password using the local nameusername ISP-NAS password 7 tunnelmeusername ENT-TS password 7 tunnelme!vpdn enable!! Configure VPN to first search on the client domain name and then on the DNISvpdn search-order domain dnis!! Allow a maximum of 10 simultaneous VPDN sessionsvpdn session-limit 10!! Configure the NAS to initiate VPDN dial-in sessions to the tunnel servervpdn-group 1request-dialinprotocol l2tpdomain cisco.com!initiate-to ip 172.22.66.25local name ISP-NAS!! Specifies the RADIUS server IP address, authorization port, and accounting portradius-server host 172.22.66.16 auth-port 1645 acct-port 1646!! Specifies the authentication key to be used with the RADIUS serverradius-server key cisco!Configuring the Tunnel Server for Dial-in VPDNs: Example
The following example show a tunnel server named ENT-TS configured to accept L2TP tunnels from a NAS named ISP-NAS using local authentication and authorization:
! Configure AAA to first use the local database and then contact the RADIUS server for ! PPP authenticationaaa new-modelaaa authentication ppp default local radius!! Configure AAA network authorization and accounting by using the RADIUS serveraaa authorization network default radiusaaa accounting network default start-stop radius!! Configure the VPDN tunnel authentication password using the local nameusername ISP-NAS password 7 tunnelmeusername ENT-TS password 7 tunnelme!vpdn enable!! Configure the tunnel server to accept dial-in sessions from the NASvpdn-group 1accept-dialinprotocol l2tpvirtual-template 1!terminate-from hostname ISP-NASlocal name ENT-TSforce-local-chap!! Configure the virtual templateinterface Virtual-Template1ip unnumbered Ethernet0ppp authentication chappeer default ip address pool defaultencapsulation ppp!! Specifies the RADIUS server IP address, authorization port, and accounting portradius-server host 172.22.66.13 auth-port 1645 acct-port 1646!! Specifies the authentication key to be used with the RADIUS serverradius-server key ciscoL2TP Calling Station ID Suppression with Local Authorization: Example
The following example configures a NAS for PPP over Ethernet over virtual LAN (PPPoEoVLAN). The NAS obtains a calling station ID from LLID NAS port preauthorization through RADIUS. The calling station ID will be removed from AV pair 22 for tunnels associated with the VPDN group named L2TP if the string #184 is included in the username.
hostname LAC!enable secret 5 $1$8qtb$MHcYeW2kn8VNYgz932eXl.enable password lab!aaa new-model!aaa group server radius LLID-Radiusserver 192.168.1.5 auth-port 1645 acct-port 1646!aaa group server radius LAC-Radiusserver 192.168.1.6 auth-port 1645 acct-port 1646!aaa authentication ppp default localaaa authorization network default localaaa authorization network LLID group LLID-Radiusaaa accounting network default start-stop group LAC-Radiusaaa nas port extendedaaa session-id common!resource manager!ip subnet-zeroip cefno ip domain lookup!virtual-profile virtual-template 1vpdn enablevpdn search-order domain!vpdn-group L2TPrequest-dialinprotocol l2tpdomain cisco.comdomain cisco.com#184!initiate-to ip 192.168.1.4local name testl2tp tunnel password 0 ciscol2tp attribute clid mask-method remove match #184!vpdn-group UUTaccept-dialinprotocol pppoevirtual-template 1!subscriber access pppoe pre-authorize nas-port-id LLID send username!interface Loopback0no ip address!interface Loopback1ip address 10.1.1.1 255.255.255.0!interface Ethernet0/0ip address 192.168.1.3 255.255.255.0no cdp enable!interface Ethernet0/0.20encapsulation dot1Q 1024no snmp trap link-statuspppoe enablepppoe max-sessions 200no cdp enable!interface Ethernet1/0ip address 10.1.1.10 255.255.255.0no cdp enable!interface Serial2/0no ip addressshutdownserial restart-delay 0!interface Serial3/0no ip addressshutdownserial restart-delay 0!interface Virtual-Template1ip unnumbered Ethernet1/0ip mroute-cacheno peer default ip addressppp authentication pap!ip classlessip route 0.0.0.0 0.0.0.0 Ethernet0/0ip route 10.0.0.0 255.0.0.0 Ethernet1/0!no ip http server!radius-server attribute 69 clearradius-server host 192.168.1.5 auth-port 1645 acct-port 1646radius-server host 192.168.1.6 auth-port 1645 acct-port 1646radius-server domain-stripping delimiter #radius-server key ciscoradius-server vsa send accountingradius-server vsa send authentication!control-plane!line con 0exec-timeout 0 0line aux 0line vty 0 4password labL2TP Calling Station ID Suppression with RADIUS Authorization: Example
The following example configures a NAS for PPPoEoVLAN. The NAS obtains a calling station ID from LLID NAS port preauthorization through RADIUS. The RADIUS user profile specifies that the calling station ID should be masked by replacing the rightmost six characters with the character X.
NAS Configuration
hostname LAC!enable secret 5 $1$8qtb$MHcYeW2kn8VNYgz932eXl.enable password lab!aaa new-model!aaa group server radius LLID-Radiusserver 192.168.1.5 auth-port 1645 acct-port 1646!aaa group server radius LAC-Radiusserver 192.168.1.6 auth-port 1645 acct-port 1646!aaa authentication ppp default localaaa authorization network default group LAC-Radiusaaa authorization network LLID group LLID-Radiusaaa accounting network default start-stop group LAC-Radiusaaa nas port extendedaaa session-id common!resource manager!ip subnet-zeroip cefno ip domain lookup!virtual-profile virtual-template 1vpdn enablevpdn search-order domain!vpdn-group UUTaccept-dialinprotocol pppoevirtual-template 1!subscriber access pppoe pre-authorize nas-port-id LLID send username!interface Loopback0no ip address!interface Loopback1ip address 10.1.1.1 255.255.255.0!interface Ethernet0/0ip address 192.168.1.3 255.255.255.0no cdp enable!interface Ethernet0/0.20encapsulation dot1Q 1024no snmp trap link-statuspppoe enablepppoe max-sessions 200no cdp enable!interface Ethernet1/0ip address 10.1.1.10 255.255.255.0no cdp enable!interface Serial2/0no ip addressshutdownserial restart-delay 0!interface Serial3/0no ip addressshutdownserial restart-delay 0!interface Virtual-Template1ip unnumbered Ethernet1/0ip mroute-cacheno peer default ip addressppp authentication pap!ip classlessip route 0.0.0.0 0.0.0.0 Ethernet0/0ip route 10.0.0.0 255.0.0.0 Ethernet1/0!no ip http server!radius-server attribute 69 clearradius-server host 192.168.1.5 auth-port 1645 acct-port 1646radius-server host 192.168.1.6 auth-port 1645 acct-port 1646radius-server domain-stripping delimiter #radius-server key ciscoradius-server vsa send accountingradius-server vsa send authentication!control-plane!line con 0exec-timeout 0 0line aux 0line vty 0 4password labRADIUS User Profile Configuration
Cisco-Avpair = vpdn:l2tp-tunnel-password=ciscoCisco-Avpair = vpdn:tunnel-type=l2tpCisco-Avpair = vpdn:tunnel-id=testCisco-Avpair = vpdn:ip-address=192.168.1.4Cisco-Avpair = vpdn:l2tp-clid-mask-method=right:X:6Where to Go Next
You may perform any of the relevant optional tasks in the "Configuring Additional VPDN Features" and "VPDN Tunnel Management" modules.
Additional References
The following sections provide references related to NAS-initiated VPDNs.
Related Documents
VPDN technology overview
VPDN commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Cisco IOS VPDN Command Reference, Release 12.4T
Information about configuring the NAS to accept dialin connections from the client
Cisco IOS Dial Technologies Configuration Guide, Release 12.4
Information about configuring the NAS to accept broadband connections from the client
Cisco IOS Broadband and DSL Configuration Guide, Release 12.4
Information about virtual templates
"Configuring Virtual Template Interfaces" chapter of the Cisco IOS Dial Technologies Configuration Guide, Release 12.4
Dial Technologies commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Cisco IOS Dial Technologies Command Reference, Release 12.4T
Technical support documentation for L2TP
Technical support documentation for VPDNs
Standards
MIBs
RFCs
RFC 2341
Cisco Layer Two Forwarding (Protocol) "L2F"
RFC 2661
Layer Two Tunneling Protocol "L2TP"
Technical Assistance
Feature Information for NAS-Initiated Dial-In VPDN Tunneling
Table 2 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For details on when support for a specific command was introduced, see the command reference documentation.
For information on a feature in this technology that is not documented here, see the "VPDN Features Roadmap."
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note
Table 2 Feature Information for NAS-Initiated Dial-In VPDN Tunneling
L2TP Calling Station ID Suppression
12.2(31)SB2
This feature allows the NAS to suppress part or all of the calling station ID from the NAS in the L2TP AV pair 22, the Calling Number ID. Calling station ID suppression can be configured globally on the router, for individual VPDN groups on the router, or on the remote RADIUS server if one is configured.
The following sections provide information about this feature:
•
•
The following commands were introduced by this feature: l2tp attribute clid mask-method, vpdn l2tp attribute clid mask-method.
L2TP Extended Failover
12.2(13)T
12.2(28)SBThis feature extends L2TP failover to occur if, during tunnel establishment, a router receives a StopCCN message from its peer, or during session establishment a router receives a CDN message from its peer. In either case, the router selects an alternate peer to contact.
The following provides information about this feature:
No commands were introduced or modified by this feature.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
