Tunnel Authentication via RADIUS on Tunnel Terminator

Available Languages

Download Options

  • PDF     (284.1 KB)
    View with Adobe Reader on a variety of devices
Updated:March 28, 2005

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Tunnel Authentication via RADIUS on Tunnel Terminator

Table Of Contents

Tunnel Authentication via RADIUS on Tunnel Terminator

Contents

Restrictions for Tunnel Authentication via RADIUS on Tunnel Terminator

Information About Tunnel Authentication via RADIUS on Tunnel Terminator

Benefits of Tunnel Authentication via a Remote RADIUS Server

Functionality Overview: Tunnel Authentication via a Remote RADIUS Server

RADIUS Vendor-Specific Attributes for Tunnel Authentication

How to Configure a Remote RADIUS Server for Tunnel Authentication

Configuring the LNS or LAC for Remote RADIUS Tunnel Authentication and Authorization

Prerequisites

Verifying Remote RADIUS Tunnel Authentication and Authorization Configurations

Configuration Examples for Tunnel Authentication via a Remote RADIUS Server

Configuring an LNS for Remote RADIUS Tunnel Authentication: Example

RADIUS User Profile for Remote RADIUS Tunnel Authentication: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

vpdn tunnel authorization network

vpdn tunnel authorization password

vpdn tunnel authorization virtual-template


Tunnel Authentication via RADIUS on Tunnel Terminator

The Tunnel Authentication via RADIUS on Tunnel Terminator feature allows the Layer 2 Tunneling Protocol (L2TP) network server (LNS) to perform remote authentication and authorization with RADIUS on incoming L2TP access concentrator (LAC) dial-in connection requests. This feature also allows the L2TP LAC to perform remote authentication and authorization with RADIUS on incoming L2TP LNS dial-out connection requests.

Feature History for Tunnel Authentication via RADIUS on Tunnel Terminator

Release
Modification

12.2(15)B

This feature was introduced on the Cisco 6400 series, Cisco 7200 series, and Cisco 7400 series.

12.3(4)T

This feature was integrated into Cisco IOS Release 12.3(4)T.

12.2(27)SBA

This feature was integrated into Cisco IOS Release 12.2(27)SBA.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Restrictions for Tunnel Authentication via RADIUS on Tunnel Terminator

Information About Tunnel Authentication via RADIUS on Tunnel Terminator

How to Configure a Remote RADIUS Server for Tunnel Authentication

Configuration Examples for Tunnel Authentication via a Remote RADIUS Server

Additional References

Command Reference

Restrictions for Tunnel Authentication via RADIUS on Tunnel Terminator

The ability to configure tunnel authentication and authorization via a remote RADIUS server is applicable only to L2TP; that is, protocols such as (Layer 2 Forwarding) L2F and Point-to-Point Tunneling Protocol (PPTP) are not supported.

Information About Tunnel Authentication via RADIUS on Tunnel Terminator

To use tunnel authentication via RADIUS on your L2TP LAC, you should understand the following concepts:

Benefits of Tunnel Authentication via a Remote RADIUS Server

Functionality Overview: Tunnel Authentication via a Remote RADIUS Server

RADIUS Vendor-Specific Attributes for Tunnel Authentication

Benefits of Tunnel Authentication via a Remote RADIUS Server

Tunnel authentication and authorization can occur via a remote RADIUS server instead of local configuration on the tunnel terminator. Thus, users no longer have to configure LAC or LNS data in a virtual private dialup network (VPDN) group when an LNS or LAC is configured for incoming dial-in or dial-out L2TP tunnel termination; this information can now be added to a remote RADIUS server, providing a more manageable and scalable solution for L2TP tunnel authentication and authorization on the tunnel terminator.

Functionality Overview: Tunnel Authentication via a Remote RADIUS Server

Without this functionality, the LNS can only perform L2TP tunnel authentication and authorization locally. These processes can be difficult to maintain across numerous LNSs, especially if the number of VPDN groups is large, because the LAC information must be configured under the VPDN group configurations of the LNS. Remote RADIUS authentication and authorization allows users to store the LAC configurations on the RADIUS server, thereby avoiding the need to store information locally. Thus, the new LAC information can be added to the RADIUS server as necessary, and the group of LNSs can authenticate and authorize by using a common user database on RADIUS.

Figure 1 and the corresponding steps explain how this feature works.

Figure 1 LNS Remote RADIUS Tunnel Authentication and Authorization for L2TP Dial-in Calls Topology

After the LNS receives a start-control-connection request (SCCRQ), it starts tunnel authentication and submits a request to RADIUS with the LAC hostname and the dummy password "cisco." (If the LNS determines that authorization should be performed locally, it will search the VPDN group configurations.)

Note To change the dummy password, use the vpdn tunnel authorization password command.

If the password sent by the LNS matches the password that is configured in the RADIUS server, the server will return attribute 90 (Tunnel-Client-Auth-ID) and attribute 69 (Tunnel-Password) after the LAC information is located. Otherwise, the RADIUS server replies back with an access-reject, and the LNS drops the tunnel.

The LNS will check for the following attribute information from the RADIUS reply:

Attribute 90 (Tunnel-Client-Auth-ID), which is used as the LAC hostname. If this attribute does not match the LAC hostname, the tunnel will be dropped.

Attribute 69 (Tunnel-Password), which is used for the L2TP CHAP-like authentication shared secret. This attribute is compared against the LAC challenge attribute-value pair (AVP) that was received in the SCCRQ. If this attribute does not match the AVP, the tunnel will be dropped.

If both attributes match, the L2TP tunnel will be established. Thereafter, you can proceed with PPP negotiation and authentication with the remote client.

Note PPP remote authentication is done to a potential different customer RADIUS server by a separate access-request/access-accept sequence. The tunnel authorization may be done by a different tunnel RADIUS server.

RADIUS Vendor-Specific Attributes for Tunnel Authentication

To help implement tunnel authentication and authorization via a remote RADIUS server, the following two new Cisco-specific RADIUS attributes have been introduced:

Cisco:Cisco-Avpair = "vpdn:dout-dialer = <LAC dialer number>"—Specifies which LAC dialer to use on the LAC for a dial-out configuration.

Cisco:Cisco-Avpair = "vpdn:vpdn-vtemplate = <vtemplate number>"—Specifies the virtual template number that will be used for cloning on the LNS for a dial-in configuration. (This attribute is the RADIUS counterpart for the virtual-template under the vpdn-group configuration.)

Note The service-type in the RADIUS user's profile for the tunnel initiator should always be set to "Outbound."

How to Configure a Remote RADIUS Server for Tunnel Authentication

This section contains the following procedures:

Configuring the LNS or LAC for Remote RADIUS Tunnel Authentication and Authorization

Verifying Remote RADIUS Tunnel Authentication and Authorization Configurations

Configuring the LNS or LAC for Remote RADIUS Tunnel Authentication and Authorization

Use this task to configure an LNS or LAC for incoming dial-in or dial-out L2TP tunnel termination.

Prerequisites

Before configuring a LNS or LAC for remote RADIUS tunnel authentication and authorization, you should define a RADIUS server group. For information on completing this task, refer to the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa authorization network {default | list-name} method1 [method2...]

4. vpdn tunnel authorization network {method-list-name | default}

5. vpdn tunnel authorization virtual-template vtemplate-number

6. vpdn tunnel authorization password password

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

Router(config)# aaa authorization network {default | list-name} method1 [method2...]

Defines an AAA authorization method list for network services.

Step 4 

Router(config)# vpdn tunnel authorization network {method-list-name | default}

Specifies the AAA authorization method list that will be used for remote tunnel hostname-based authorization.

If the list-name argument was specified in the aaa authorization command, you use that list name here.

If the default keyword was specified in the aaa authorization command, you must choose that keyword, which specifies the default authorization methods that are listed with the aaa authorization command here.

Step 5 

Router(config)# vpdn tunnel authorization virtual-template vtemplate-number

(Optional) Selects the default virtual template from which to clone virtual access interfaces.

Step 6 

Router(config)# vpdn tunnel authorization password password

(Optional) Configures a "dummy" password for the RADIUS authorization request to retrieve the tunnel configuration that is based on the remote tunnel hostname.

Note If this command is not enabled, the password will always be "cisco."

Verifying Remote RADIUS Tunnel Authentication and Authorization Configurations

To verify that the L2TP tunnel is up, use the show vpdn tunnel command in EXEC mode. One tunnel and one session must be set up. 

Router# show vpdn tunnel


L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocID RemID Remote Name   State  Remote Address  Port  Sessions VPDN Group

4571  61568 csidtw13 est    10.0.195.4      1701  1        ?              


LocID RemID TunID Intf          Username               State  Last Chg

4     11    4571  Vi4.1         csidtw9@cisco.com       est    00:02:29


%No active L2F tunnels

%No active PPTP tunnels

%No active PPPoE tunnels


To verify that the AAA authorization RADIUS server is configured on the LNS and that the LNS can 
receive attributes 90 and 69 from the RADIUS server, perform the following steps:

Step 1 Enable the debug radius command on the LNS.

Step 2 Enable the show logging command on the LNS and ensure that "access-accept" is in the output and that attributes 90 and 69 can be seen in the RADIUS reply. 

00:32:56: RADIUS: Received from id 21645/5 172.19.192.50:1645, Access-Accept, len 81

00:32:56: RADIUS:  authenticator 73 2B 1B C2 33 71 93 19 - 62 AC 3E BE 0D 13 14 85

00:32:56: RADIUS:  Service-Type        [6]   6   Outbound                  [5]

00:32:56: RADIUS:  Tunnel-Type         [64]  6   00:L2TP                   [3]

00:32:56: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]

00:32:56: RADIUS:  Tunnel-Client-Auth-I[90]  6   00:"csidtw13"

00:32:56: RADIUS:  Tunnel-Password     [69]  8   *

00:32:56: RADIUS:  Vendor, Cisco       [26]  29  

00:32:56: RADIUS:   Cisco AVpair       [1]   23  "vpdn:vpdn-vtemplate=1"

To verify that the L2TP tunnel has been established and that the LNS can perform PPP negotiation and authentication with the remote client, perform the following steps:

Step 1 Enable the debug ppp negotiation and debug ppp authentication commands on LNS.

Step 2 Enable the show logging command on LNS and observe that LNS receives a PPP CHAP challenge and then sends a PPP CHAP "SUCCESS" to the client. 

00:38:50: ppp3 PPP: Received LOGIN Response from AAA = PASS

00:38:50: ppp3 PPP: Phase is FORWARDING, Attempting Forward

00:38:50: Vi4.1  Tnl/Sn4571/4 L2TP: Session state change from wait-for-service-selection 
to established

00:38:50: Vi4.1 PPP: Phase is AUTHENTICATING, Authenticated User

00:38:50: Vi4.1 CHAP: O SUCCESS id 1 len 4

Step 3 After PPP authentication is successful, observe from the debug output that PPP negotiation has started, that the LNS has received LCP (IPCP) packets, and that negotiation is successful. 

00:38:50: Vi4.1 IPCP: State is Open

00:38:50: Vi4.1 IPCP: Install route to 200.1.1.4

Configuration Examples for Tunnel Authentication via a Remote RADIUS Server

This section includes the following configuration examples:

Configuring an LNS for Remote RADIUS Tunnel Authentication: Example

RADIUS User Profile for Remote RADIUS Tunnel Authentication: Example

Configuring an LNS for Remote RADIUS Tunnel Authentication: Example

The following example shows how to configure the LNS to enable remote RADIUS tunnel authentication and authorization: 

! Define a RADIUS server group

Router(config)# aaa group server radius VPDN-group 

Router(config-sg-radius)# server 64.102.48.91 auth-port 1645 acct-port 1646

Router(config-sg-radius)# exit

! RADIUS configurations only

Router(config)# aaa authorization network mymethodlist group VPDN-Group 

Router(config)# vpdn tunnel authorization network mymethodlist

Router(config)# vpdn tunnel authorization virtual-template 10

RADIUS User Profile for Remote RADIUS Tunnel Authentication: Example

The following are examples of RADIUS user profiles for the LNS to terminate L2TP tunnels from a LAC. In the first user profile, the final line is optional if the vpdn tunnel authorization virtual-template command is used. Also, the first RADIUS user profile is for L2TP dial-in, and the second RADIUS user profile is for L2TP dial-out.

The service-type in the RADIUS user's profile for the tunnel initiator should always be set to "Outbound." 

csidtw13  Password = "cisco"

        Service-Type = Outbound,

        Tunnel-Type = :0:L2TP,

        Tunnel-Medium-Type = :0:IP,

        Tunnel-Client-Auth-ID = :0:"csidtw13",

        Tunnel-Password = :0:"cisco"

        Cisco:Cisco-Avpair = "vpdn:vpdn-vtemplate=1"


csidtw1 Password = "cisco"

        Service-Type = Outbound,

        Tunnel-Type = :0:L2TP,

        Tunnel-Medium-Type = :0:IP,

        Tunnel-Client-Auth-ID = :0:"csidtw1",

        Tunnel-Password = :0:"cisco"

        Cisco:Cisco-Avpair = "vpdn:dout-dialer=2"

Additional References

The following sections provide references related to Tunnel Authentication via RADIUS on Tunnel Terminator.

Related Documents

Related Topic
Document Title

VPNs

The chapter "Configuring Virtual Private Networks" in the Cisco IOS Dial Technologies Configuration Guide

VPN configuration commands

Cisco IOS Dial Technologies Command Reference, Release 12.3 T

RADIUS attributes

The appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide

RADIUS commands

Cisco IOS Security Command Reference, Release 12.3 T


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

RFC 2868

RADIUS Attributes for Tunnel Protocol Support


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.

vpdn tunnel authorization network

vpdn tunnel authorization password

vpdn tunnel authorization virtual-template

vpdn tunnel authorization network

To enable the L2TP network server (LNS) or the L2TP access concentrator (LAC) to perform remote authentication, authorization, and accounting (AAA) tunnel authentication and authorization, use the vpdn tunnel authorization network command in global configuration mode. To disable remote tunnel authentication and authorization and return to the default of local tunnel authentication and authorization, use the no form of this command.

vpdn tunnel authorization network {list-name | default}

no vpdn tunnel authorization network {list-name | default}

Syntax Description

list-name

Character string used to name the list of at least one accounting method. If the list-name argument was specified in the aaa authorization network command, you must use the same list name with the vpdn tunnel authorization network command.

default

Specifies the default authorization methods that are listed with the aaa authorization network command. If the default keyword was specified in the aaa authorization network command, you must use the default keyword with the vpdn tunnel authorization network command.


Defaults

If this command is not enabled, the LNS or the LAC will perform authentication locally.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

12.2(27)SBA

This command was integrated into Cisco IOS Release 12.2(27)SBA.


Usage Guidelines

Use this command to specify the authorization method list that will be used for remote tunnel hostname-based authorization. The method list (named or default) is defined using the aaa authorization network command.

If a method list for tunnel authorization is not specified via the aaa authorization network command, local authorization using the local virtual private dialup network (VPDN) group configuration will occur.

Note This new method list is only for Layer 2 Transport Protocol (L2TP) tunnel authorization and termination; it is not intended for domain or dialed number identification service (DNIS)-based authorization that is typically done on the tunnel terminator. Thus, this command can be enabled only on the tunnel terminator—the LAC for dialout and the LNS for dialin.

Examples

The following example shows how to configure the LNS to enable remote RADIUS tunnel authentication and authorization: 

! Define a RADIUS server group

Router(config)# aaa group server radius VPDN-group 

Router(config-sg-radius)# server 10.102.48.91 auth-port 1645 acct-port 1646

Router(config-sg-radius)# exit

Router(config)# aaa authorization network mymethodlist group VPDN-Group 

Router(config)# vpdn tunnel authorization network mymethodlist

Router(config)# vpdn tunnel authorization virtual-template 10

Related Commands

Command
Description

aaa authorization

Sets parameters that restrict user access to a network.


vpdn tunnel authorization password

To configure a "dummy" password for the RADIUS authentication request to retrieve the tunnel configuration that is based on the remote tunnel host name, use the vpdn tunnel authorization password command in global configuration mode. To return to the default password, use the no form of this command.

vpdn tunnel authorization password password

no vpdn tunnel authorization password password

Syntax Description

password

Character string, which is truncated after 25 characters.


Defaults

The password is set to "cisco."

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

12.2(27)SBA

This command was integrated into Cisco IOS Release 12.2(27)SBA.


Usage Guidelines

This command can be used on either the L2TP access concentrator (LAC) or L2TP network server (LNS) when remote RADIUS tunnel authentication is enabled.

Examples

The following example shows how to set the password to configure the LNS to enable remote RADIUS tunnel authentication and authorization and set the password to "mypassword": 

Router(config)# aaa authorization network mymethodlist group VPDN-Group 

Router(config)# vpdn tunnel authorization network mymethodlist

Router(config)# vpdn tunnel authorization virtual-template 10

Router(config)# vpdn tunnel authorization password mypassword

Related Commands

Command
Description

vpdn tunnel authorization network

Enables the LNS or the LAC to perform remote AAA tunnel authentication and authorization.


vpdn tunnel authorization virtual-template

To select the default virtual template from which to clone virtual access interfaces, use the vpdn tunnel authorization virtual-template command in global configuration mode. To remove the default virtual template, use the no form of this command.

vpdn tunnel authorization virtual-template vtemplate-number

no vpdn tunnel authorization virtual-template vtemplate-number

Syntax Description

vtemplate-number

The default virtual template number that will be used for cloning on the local router. Valid values range from 1 to 200.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)B

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

12.2(27)SBA

This command was integrated into Cisco IOS Release 12.2(27)SBA.


Usage Guidelines

This command should be used if a virtual template is not specified in the local virtual private dialup network (VPDN) group (for local authentication) or in a remote RADIUS configuration (via the vpdn-vtemplate attribute).

Note This command is applicable only on the L2TP network server (LNS).

Examples

The following example shows how to configure the LNS to enable remote RADIUS tunnel authentication and authorization and how to specify a default virtual template: 

! Define a RADIUS server group

Router(config)# aaa group server radius VPDN-group 

Router(config-sg-radius)# server 10.102.48.91 auth-port 1645 acct-port 1646

Router(config-sg-radius)# exit

! RADIUS configurations only

Router(config)# aaa authorization network mymethodlist group VPDN-Group 

Router(config)# vpdn tunnel authorization network mymethodlist

! Can be used for local vpdn-group tunnel authentication or remote RADIUS tunnel

! authentication

Router(config)# vpdn tunnel authorization virtual-template 10

Related Commands

Command
Description

vpdn tunnel authorization network

Enables the LNS or the LAC to perform remote AAA tunnel authentication and authorization.


Copyright © 2002-2005 Cisco Systems, Inc. All rights reserved.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products