Home » Cisco Manuals » Bridges & Routers » Cisco 10000-2P2-2DC » Manual Viewer

Cisco 10000-2P2-2DC Software Guide - Page 210

Configuring Vendor-Specific Attributes on RADIUS, Example 5-15

View all Cisco 10000-2P2-2DC manuals

Add to My Manuals
Save this manual to your list of manuals

Page 210 highlights

L2TP Network Server Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Configuring Vendor-Specific Attributes on RADIUS Cisco IOS Release 12.2(15)BX adds Cisco-specific VPDN RADIUS attributes to support RADIUS tunnel authentication. To configure the RADIUS server for tunnel authentication, you must configure the following vendor-specific attributes (VSAs) on the RADIUS server: • vpdn-vtemplate-Specifies the virtual template number to use for cloning on the LNS. This attribute corresponds to the virtual template associated with the local VPDN group on the LNS. This attribute is not required if you used the vpdn tunnel authorization virtual-template command on the LNS to configure a default virtual template to use for cloning. Cisco:Cisco-Avpair = "vpdn:vpdn-vtemplate = " • dout-dialer-Specifies the LAC dialer to use on the LAC for a dialout configuration. Cisco:Cisco-Avpair = "vpdn:dout-dialer = " • Service-Type-Specifies an outbound or inbound service type. In the tunnel authorization request, the LNS sets the Service-Type attribute to Outbound. Therefore, in the RADIUS configuration you must also configure an Outbound Service-Type. Service-Type = Outbound Note • For information about RADIUS attributes supported on the Cisco 10000 series router, see Appendix A, "RADIUS Attributes" or see the "RADIUS Attributes" appendix in the Cisco IOS Security Configuration Guide, Release 12.2. • For more information about configuring RADIUS, see your RADIUS user documentation. Example 5-15 is a RADIUS configuration that allows the LNS to terminate L2TP tunnels from a LAC. In this configuration, VirtualTemplate10 is used to clone a virtual access interface (VAI) on the LNS. Example 5-15 Configuring RADIUS for LNS Termination of L2TP Tunnels from a LAC myLACname Password = "cisco" Service-Type = Outbound, Tunnel-Type = :0:l@TP, Tunnel-Medium-Type = :o:IP, Tunnel-Client-Auth-ID = :0:"myLACname", Tunnel-Password = :0:"mytunnelpassword", Cisco:Cisco-Avpair = "vpdn:vpdn-vtemplate=10" Example 5-16 is an LNS configuration that supports RADIUS tunnel authentication. In this configuration, a RADIUS server group is defined using the aaa group server radius VPDN-Group command. The aaa authorization network mymethodlist group VPDN-Group command queries RADIUS for network authorization. Example 5-16 Configuring the LNS to Support RADIUS Tunnel Authentication aaa group server radius VPDN-Group server 64.102.48.91 auth-port 1645 acct-port 1646 aaa authorization network mymethodlist group VPDN-Group vpdn tunnel authorization network mymethodlist vpdn tunnel authorization virtual-template 10 5-44 Cisco 10000 Series Router Software Configuration Guide OL-2226-23

Section	Page
Cisco 10000 Series Router Software Configuration Guide	1
Contents	3
About This Guide	25
Guide Revision History	25
Audience	30
Document Organization	30
Document Conventions	32
Related Documentation	33
RFCs	34
Obtaining Documentation, Obtaining Support, and Security Guidelines	34
Broadband Aggregation and Leased-Line Overview	35
Hardware Requirements	35
Checking Hardware and Software Compatibility	35
Broadband Architecture Models	36
PPP Termination and Aggregation Architectures	36
PTA to Virtual Routing and Forwarding Architecture	37
PTA to Multiprotocol Label Switching Virtual Private Network Architecture	38
L2TP Architectures	39
L2TP to Virtual Routing and Forwarding Architecture	39
L2TP over MPLS to Virtual Routing and Forwarding Instance	40
L2TP Access Concentrator Architecture	41
Routed Bridge Encapsulation Architectures	41
RBE to Virtual Routing and Forwarding Architecture	42
RBE to Multiprotocol Label Switching Virtual Private Network Architecture	43
Leased-Line Architecture Models	44
Channelized Aggregation	44
Frame Relay Aggregation	44
ATM Aggregation	45
Ethernet Aggregation	46
MPLS Provider Edge Applications	46
Combined Broadband and Leased-Line Applications	47
Load Balancing Architecture Models	47
IP and MPLS Applications	47
Single Ingress and Single Egress Provider Edge Applications	48
Single Ingress and Two Egress Provider Edge Applications	48
Multiple Ingress and Multiple Egress Provider Edge Applications	49
New Features, Enhancements, and Changes	49
New Features in Cisco IOS Release 12.2(33)XNE3	50
New Features in Cisco IOS Release 12.2(33)XNE	50
New Features in Cisco IOS Release 12.2(33)SB3	52
New Features in Cisco IOS Release 12.2(33)SB2	52
New Features in Cisco IOS Release 12.2(33)SB	52
New Features in Cisco IOS Release 12.2(31)SB5	53
New Features in Cisco IOS Release 12.2(31)SB3	53
New Features in Cisco IOS Release 12.2(31)SB2	54
New Features in Cisco IOS Release 12.2(28)SB1	55
New Features in Cisco IOS Release 12.2(28)SB	55
New Features in Cisco IOS Release 12.3(7)XI7	59
New Features in Cisco IOS Release 12.3(7)XI3	60
New Features in Cisco IOS Release 12.3(7)XI2	60
New Features in Cisco IOS Release 12.3(7)XI1	60
Scalability and Performance	63
Line Card VC Limitations	63
Limitations and Restrictions	65
Scaling Enhancements in Cisco IOS Release 12.2(33)XNE	66
Scaling Enhancements in Cisco IOS Release 12.2(33)SB	67
Layer 4 Redirect Scaling	67
Scaling Enhancements in Cisco IOS Release 12.3(7)XI1	68
FIB Scaling	68
Policy-Map Scaling	68
Queue Scaling	69
Scaling Enhancements in Cisco IOS Release 12.3(7)XI2	69
Queue Scaling	69
VC Scaling	70
Scaling Enhancements in Cisco IOS Release 12.2(28)SB	70
Configuring the Cisco 10000 Series Router for High Scalability	70
Configuring Parameters for RADIUS Authentication	71
Configuring L2TP Tunnel Settings	71
VPDN Group Session Limiting	72
Configuring the PPP Authentication Timeout	72
Disabling Cisco Discovery Protocol	72
Disabling Gratuitous ARP Requests	73
Configuring a Virtual Template Without Interface-Specific Commands	73
Monitoring PPP Sessions Using the SNMP Management Tools	75
SNMP Process and High CPU Utilization	75
CISCO-ATM-PVCTRAP-EXTN-MIB	76
Configuring the Trunk Interface Input Hold Queue	77
Configuring no atm pxf queuing	77
Configuring atm pxf queuing	78
Configuring keepalive	79
Enhancing Scalability of Per-User Configurations	79
Setting VRF and IP Unnumbered Interface Configurations in User Profiles	80
Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template	80
Redefining User Profiles to Use the ip:vrf-id and ip:ip-unnumbered VSAs	80
Placing PPPoA Sessions in Listening Mode	81
Scaling L2TP Tunnel Configurations	81
Using the RADIUS Attribute cisco-avpair=\	82
Using Full Virtual Access Interfaces	82
Preventing Full Virtual Access Interfaces	83
Configuring Remote Access to MPLS VPN	85
MPLS VPN Architecture	86
Access Technologies	87
PPP over ATM to MPLS VPN	88
PPP over Ethernet to MPLS VPN	89
RBE over ATM to MPLS VPN	91
MPLS VPN ID	91
DHCP Relay Agent Information Option-Option 82	93
DHCP Relay Support for MPLS VPN Suboptions	93
Feature History for RA to MPLS VPN	94
Restrictions for RA to MPLS VPN	94
Prerequisites for RA to MPLS VPN	95
Configuration Tasks for RA to MPLS VPN	96
Configuring the MPLS Core Network	96
Enabling Label Switching of IP Packets on Interfaces	96
Configuring Virtual Routing and Forwarding Instances	97
Associating VRFs	97
Configuring Multiprotocol BGP PE to PE Routing Sessions	98
Configuring Access Protocols and Connections	100
Configuring a Virtual Template Interface	101
Configuring PPP over ATM Virtual Connections and Applying Virtual Templates	102
Configuring PPPoE over ATM Virtual Connections and Applying Virtual Templates	102
Configuring PPPoE over Ethernet Virtual Connections and Applying Virtual Templates	104
Configuring RBE over ATM Virtual Connections	106
Configuring and Associating Virtual Private Networks	112
Configuring Virtual Private Networks	112
Associating VPNs with a Virtual Template Interface	112
Configuring RADIUS User Profiles for RADIUS-Based AAA	114
Verifying VPN Operation	114
Configuration Examples for RA to MPLS VPN	114
PPPoA to MPLS VPN Configuration Example	115
PPPoE to MPLS VPN Configuration Example	118
RBE to MPLS VPN Configuration Example	122
Monitoring and Maintaining an MPLS Configuration	123
Verifying the Routing Protocol Is Running	124
Verifying MPLS	124
Verifying Connections Between Neighbors	124
Verifying Label Distribution	125
Verifying Label Bindings	126
Verifying Labels Are Set	127
Monitoring and Maintaining the MPLS VPN	127
Verifying VRF Configurations	128
Verifying the Routing Table	128
Verifying the PE to PE Routing Protocols	129
Verifying the PE to CE Routing Protocol	130
Verifying the MPLS VPN Labels	130
Testing the VRF	130
Monitoring and Maintaining PPPoX to MPLS VPN	131
Monitoring and Maintaining RBE to MPLS VPN	132
Configuring Multiprotocol Label Switching	135
BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN	135
Feature History for BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN	136
Restrictions for BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN	137
Prerequisites for BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN	137
IGP Convergence Acceleration	137
Configuring IGP Convergence Acceleration	138
Configuring BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN	138
Configuring Multipath Load Sharing for eBGP and iBGP	139
Verifying Multipath Load Sharing for eBGP and iBGP	139
Configuration Examples for BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN	139
eBGP and iBGP Multipath Load Sharing Configuration Example	140
Verifying eBGP and iBGP Multipath Load Sharing	140
Monitoring and Maintaining BGP Multipath Load Sharing for eBGP and iBGP	141
IPv6 VPN over MPLS	141
Feature History for IPv6 VPN over MPLS	142
Prerequisites for Implementing IPv6 VPN over MPLS	142
Restrictions for Implementing IPv6 VPN over MPLS	143
Configuration Tasks for Implementing IPv6 VPN over MPLS	143
BGP Features	144
IPv6 Internet Access	145
VRF-Aware Router Applications	146
VRF-Lite	146
QoS Features	146
Configuration Example for Implementing IPv6 VPN over MPLS	147
Monitoring and Maintaining IPv6 VPN over MPLS	149
Session Limit Per VRF	149
Application of VPDN Parameters to VPDN Groups	150
VPDN Template Configuration	151
Feature History for Session Limit Per VRF	151
Restrictions for Session Limit Per VRF	151
Prerequisites for Session Limit Per VRF	151
Configuring Session Limit Per VRF	152
Verifying a Session Limit Per VRF Configuration	153
Configuration Examples for Session Limit Per VRF	153
Monitoring and Maintaining Session Limit Per VRF	155
Half-Duplex VRF	155
Upstream and Downstream VRFs	156
Reverse Path Forwarding Check Support	157
Feature History for Half-Duplex VRF	157
Restrictions for Half-Duplex VRF	157
Prerequisites for Half-Duplex VRF	157
Configuration Tasks for Half-Duplex VRF	158
Configuring Upstream and Downstream VRFs on the L2TP Access Concentrator and PE Router	158
Associating VRFs	159
Configuring RADIUS	160
Configuration Examples for Half-Duplex VRF	160
Hub and Spoke Sample Configuration with Half-Duplex VRFs	161
RADIUS Sample Configuration	162
Monitoring and Maintaining Half-Duplex VRF	163
Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server	167
IP Reassembly	167
Feature History for IP Reassembly	168
Layer 2 Access Concentrator	168
Tunnel Sharing	170
Tunnel Service Authorization	170
Tunnel Selection	170
Sessions per Tunnel Limiting	171
Session Load Balancing	172
Session Load Failover	172
Feature History for LAC	172
Restrictions for LAC	173
Required Configuration Tasks for LAC	173
Enabling the LAC to Look for Tunnel Definitions	173
Optional Configuration Tasks for LAC	173
Enabling Sessions with Different Domains to Share the Same Tunnel	174
Enabling the LAC to Conduct Tunnel Service Authorization	174
Configuring Sessions Per Tunnel Limiting on the LAC	178
RADIUS Server Optional Configuration Tasks for LAC	179
Enabling Tunnel Sharing for RADIUS Services	179
Enabling the RADIUS Server to Conduct Tunnel Service Authorization	180
Configuring Sessions Per Tunnel Limiting in the RADIUS Service Profile	182
Configuration Example for LAC	183
Monitoring and Maintaining LAC	187
L2TP Network Server	188
Virtual Template Interface	189
Virtual Routing and Forwarding Instance	189
Per VRF AAA	189
Private Servers	190
RADIUS Attribute Screening	190
Packet Fragmentation	190
Tunnel Accounting	191
Tunnel Authentication	191
Named Method Lists	193
Framed-Route VRF Aware	193
Feature History for LNS	194
Restrictions for the LNS	194
Prerequisites for LNS	194
Required Configuration Tasks for LNS	195
Configuring the Virtual Template Interface	195
Configuring the LNS to Initiate and Receive L2TP Traffic	195
Optional Configuration Tasks for LNS	196
Configuring per VRF AAA Services	197
Configuring a VRF on the LNS	202
Configuring Sessions per Tunnel Limiting on the LNS	202
Configuring RADIUS Attribute Accept or Reject Lists	203
Configuring the LNS for RADIUS Tunnel Accounting	205
Configuring the LNS for RADIUS Tunnel Authentication	208
Configuration Examples for LNS	211
Managed LNS Configuration Example	211
Tunnel Accounting Configuration Examples	213
Tunnel Authentication Configuration Examples	216
Monitoring and Maintaining LNS	217
Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN	219
PPPoE over Ethernet	219
Feature History for PPPoE over Ethernet	220
Restrictions for PPPoE over Ethernet	220
Configuration Tasks for PPPoE over Ethernet	220
Configuring a Virtual Template Interface	220
Creating an Ethernet Interface and Enabling PPPoE	221
Configuring PPPoE in a VPDN Group	221
Configuring PPPoE in a BBA Group	221
Configuration Example for PPPoE over Ethernet	223
Static MAC Address for PPPoE	223
Feature History for Static MAC Address for PPPoE	224
PPPoE over IEEE 802.1Q VLANs	225
Feature History for PPPoE over IEEE 802.1Q VLANs	225
Restrictions for PPPoE over IEEE 802.1Q VLANs	225
Configuration Tasks for PPPoE over IEEE 802.1Q VLANs	225
Configuring a Virtual Template Interface	226
Creating an Ethernet 802.1Q Encapsulated Subinterface and Enabling PPPoE	226
Configuring PPPoE in a VPDN Group	226
Configuring PPPoE in a BBA Group	227
Configuration Examples for PPPoE over IEEE 802.1Q VLANs	228
Verifying PPPoE over Ethernet and IEEE 802.1Q VLAN	229
Clearing PPPoE Sessions	230
TCP MSS Adjust	230
Feature History for TCP MSS Adjust	230
Information about TCP MSS Adjust	230
Restrictions for TCP MSS Adjust	231
Configuration Task for TCP MSS Adjust	231
TCP MSS Adjustment Configuration: Examples	232
VLAN Range	233
Feature History for VLAN Range	233
Restrictions for VLAN Range	234
Configuration Task for VLAN Range	234
Configuring a Range of VLAN Subinterfaces	234
Configuration Examples for VLAN Range	235
Verifying the Configuration of a Range of Subinterfaces	236
Configuring IP Unnumbered on IEEE 802.1Q VLANs	237
Feature History for IP Unnumbered on VLANs	238
Benefits for IP Unnumbered on VLANs	238
Restrictions for IP Unnumbered on VLANs	239
Configuration Tasks for IP Unnumbered on VLANs	239
Configuring IP Unnumbered for an Ethernet VLAN Subinterface	239
Configuring IP Unnumbered for a Range of Ethernet VLAN Subinterfaces	240
Configuration Examples for IP Unnumbered on VLANs	240
Monitoring and Maintaining IP Unnumbered Ethernet VLAN Subinterfaces	241
Configuring ATM Permanent Virtual Circuit Autoprovisioning	243
ATM PVC Autoprovisioning	243
Local Template-Based ATM PVC Provisioning	244
Feature History for Local Template-Based ATM PVC Provisioning	244
ATM Interface Oversubscription	244
VC Class	245
ATM VC Scaling and VC Assignment	246
When SAR the Page Limit is Reached	247
OC-12 ATM Line Card and VC Scaling	247
Feature History for ATM PVC Autoprovisioning	247
Restrictions for ATM PVC Autoprovisioning	247
Configuration Tasks for ATM PVC Autoprovisioning	248
Creating an On-Demand PVC Using a VC Class	248
Creating an On-Demand PVC Directly	250
Creating an On-Demand PVC With Infinite Range	253
Monitoring and Maintaining ATM PVC Autoprovisioning	254
Configuration Example for ATM PVC Autoprovisioning	255
Variable Bit Rate Non-Real Time Oversubscription	256
Feature History for VBR-nrt Oversubscription	257
Restrictions for VBR-nrt Oversubscription	257
Configuration Tasks for VBR-nrt Oversubscription	259
Configuring VBR-nrt Oversubscription	259
Verifying ATM PVC Oversubscription	259
Configuration Example for ATM PVC Oversubscription	260
Configuring Multihop	261
Feature History for Multihop	262
Restrictions for Multihop	263
Required Configuration Tasks for Multihop	263
Enabling VPDN and Multihop Functionality	263
Terminating the Tunnel from the LAC	264
Mapping the Ingress Tunnel Name to an LNS	264
Optional Configuration Tasks for Multihop	265
Specifying VPDN Tunnel Authorization Searches by Ingress Tunnel Name	265
Preserving the Type of Service Field of Encapsulated IP Packets	265
Configuring an Accept-Dialin VPDN Group to Preserve IP TOS	266
Configuring a Request-Dialout VPDN Group to Preserve IP TOS	267
Configuration Examples for Multihop	268
Monitoring and Maintaining Multihop Configurations	269
Configuring Address Pools	273
Address Assignment Mechanisms	273
Local Address Pool	274
Benefits of a Local Address Pool	274
Limitations of a Local Address Pool	274
RADIUS-Based Address Assignment	274
Benefits of RADIUS-Based Address Assignment	275
Limitations of RADIUS-Based Address Assignment	275
DHCP-Based Address Assignment	275
Benefits of DHCP-based Address Assignment	275
Limitations of DHCP-Based Address Assignment	276
On-Demand Address Pool Manager	276
Feature History for On-Demand Address Pool Manager	277
Address Allocation for PPP Sessions	277
Subnet Releasing	277
On-Demand Address Pools for MPLS VPNs	277
Benefits On-Demand Address Pool Manager	278
Prerequisites for On-Demand Address Pool Manager	278
Required Configuration Tasks for On-Demand Address Pool Manager	278
Defining DHCP ODAPs as the Global Default Pooling Mechanism	279
Configuring the DHCP Pool as an ODAP	279
Configuring the AAA Client	280
Configuring RADIUS	281
Optional Configuration Tasks for On-Demand Address Pool Manager	282
Defining ODAPs on an Interface	282
Configuring ODAPs to Obtain Subnets Through IPCP Negotiation	283
Disabling ODAPs	283
Verifying On-Demand Address Pool Operation	284
Configuration Examples for On-Demand Address Pool Manager	286
Configuring DHCP ODAPs on an Interface	286
Configuring ODAPs to Obtain Subnets Through IPCP Negotiation	287
Monitoring and Maintaining an On-Demand Address Pool	287
Overlapping IP Address Pools	288
Feature History for Overlapping IP Address Pools	289
Restrictions for Overlapping IP Address Pools	289
Configuration Tasks for Overlapping IP Address Pools	289
Configuring a Local Pool Group for IP Overlapping Address Pools	289
Verifying Local Pool Groups for IP Overlapping Address Pools	290
Configuration Examples for Overlapping IP Address Pools	290
Generic IP Overlapping Address Pools Example	290
IP Overlapping Address Pools for VPNs and VRFs Example	291
Configuring Local AAA Server, User Database-Domain to VRF	293
Feature History for Local AAA Server, User Database-Domain to VRF	294
Prerequisites for Local AAA Server, User Database-Domain to VRF	294
Establishing a PPP Connection	294
AAA Authentication	294
AAA Authorization	295
AAA Accounting	295
AAA Attribute Lists	296
Converting from RADIUS Format to Cisco IOS AAA Format	296
Defining AAA Attribute Lists	297
Subscriber Profiles	297
AAA Method Lists	298
Configuration Tasks for Local AAA Server, User Database-Domain to VRF Using Local Attributes	298
Defining AAA	298
Defining RADIUS and Enabling NAS-PORT	299
Defining a VRF	299
Applying AAA to a Virtual Template	299
Defining a Loopback Interface	300
Creating an IP Address Pool	300
Defining a Subscriber Profile	300
Defining an AAA Attribute List	300
Verifying Local AAA Server, User Database-Domain to VRF Using Local Attributes	301
Configuration Example for Local AAA Server, User Database-Domain to VRF	301
Example-VRF with DBS	303
Example-VRF with ACL	304
Monitoring and Maintaining Local AAA Server, User Database-Domain to VRF	304
Configuring Traffic Filtering	305
IP Receive ACLs	305
Feature History for IP Receive ACLs	306
Restrictions for IP Receive ACLs	306
Configuration Tasks for IP Receive ACLs	306
Configuring Receive ACLs	307
Verifying Receive ACLs	307
Configuration Example for IP Receive ACLs	307
Time-Based ACLs	308
Feature History for Time-Based ACLs	308
Restrictions for Time-Based ACLs	309
Configuration Tasks for Time-Based ACLs	309
Creating a Time Range	309
Applying a Time Range to a Numbered Access Control List	310
Applying a Time Range to a Named Access Control List	311
Monitoring and Maintaining Time-Based ACLs	312
Configuration Examples for Time-Based ACLs	312
Unicast Reverse Path Forwarding	315
Feature History for uRPF	316
Prerequisites for uRPF	316
Restrictions for uRPF	316
Configuring Unicast RPF	317
Monitoring and Maintaining uRPF	318
Configuration Examples of uRPF	320
Configuring Loose Mode uRPF	321
Configuring Loose Mode uRPF with the allow-self-ping Option	321
Configuring Loose Mode uRPF with the allow-default Option	322
Configuring Automatic Protection Switching	323
Multirouter Automatic Protection Switching	323
Feature History for MR-APS	324
Restrictions for MR-APS	325
Configuration Tasks for MR-APS	325
Configuring MR-APS on Unchannelized Line Cards	325
Configuring MR-APS on Channelized Line Cards	326
Configuring MR-APS with Static Routes	327
Configuring MR-APS with Static Routes on Unchannelized Line Cards	327
Configuring MR-APS with Static Routes on Channelized Line Cards	329
Monitoring and Maintaining the MR-APS Configuration	331
Single-router Automatic Protection Switching	331
Feature History for SR-APS	333
Configuring SR-APS	333
Disabling SR-APS	333
Monitoring and Maintaining the SR-APS Configuration	334
Threshold Commands	335
Specifying SR-APS Signal Degrade BER Threshold	335
Specifying SR-APS Signal Fail BER Threshold	336
Configuring IP Multicast	337
Feature History for IP Multicast	338
Restrictions for IP Multicast	338
Configuration Tasks for IP Multicast Routing	338
Enabling IP Multicast Routing	339
Enabling PIM on an Interface	339
Enabling Dense Mode	339
Enabling Sparse Mode	340
Enabling Sparse-Dense Mode	340
Configuring Native Multicast Load Splitting	340
Configuring the Control Plane Protocol Policy	340
Configuring RADIUS Features	343
RADIUS Attribute Screening	343
Feature History for RADIUS Attribute Screening	344
Restrictions for RADIUS Attribute Screening	344
Prerequisites for RADIUS Attribute Screening	344
Configuration Tasks for RADIUS Attribute Screening	345
Configuration Examples for RADIUS Attribute Screening	345
Authorization Accept Configuration Example	345
Accounting Reject Configuration Example	345
Authorization Reject and Accounting Accept Configuration Example	346
Rejecting Required Attributes Configuration Example	346
RADIUS Transmit Retries	346
Feature History for RADIUS Transmit Retries	347
Restrictions for RADIUS Transmit Retries	347
Configuring RADIUS Transmit Retries	347
Configuration Example for RADIUS Transmit Retries	347
Monitoring and Troubleshooting RADIUS Transmit Retries	348
Extended NAS-Port-Type and NAS-Port Support	348
Feature History for Extended NAS-Port-Type and NAS-Port Support	349
NAS-Port-Type (RADIUS Attribute 61)	349
NAS-Port (RADIUS Attribute 5)	350
NAS-Port-ID (RADIUS Attribute 87)	350
Prerequisites for Extended NAS-Port-Type and NAS-Port Attributes Support	350
Configuring Extended NAS-Port-Type and NAS-Port Attributes Support	351
Verifying Extended NAS-Port-Type and NAS-Port-ID Attributes Support	353
Configuration Examples for Extended NAS-Port-Type Attribute Support	354
RADIUS Attribute 31: PPPoX Calling Station ID	355
Feature History for PPPoX Calling Station ID	355
Calling-Station-ID Formats	355
Restrictions for PPPoX Calling Station ID	356
Related Documents for PPPoX Calling Station ID	357
Configuration Tasks for PPPoX Calling Station ID	357
Configuring the Calling-Station-ID Format	357
Verifying the Calling-Station-ID	357
Configuration Example for PPPoX Calling Station ID	358
Related Commands for PPPoX Calling Station ID	359
RADIUS Packet of Disconnect	359
Feature History for RADIUS Packet of Disconnect	360
Benefits for RADIUS Packet of Disconnect	360
Restrictions for RADIUS Packet of Disconnect	360
Related Documents for RADIUS Packet of Disconnect	361
Prerequisites for RADIUS Packet of Disconnect	361
Configuration Tasks for RADIUS Packet of Disconnect	361
Configuring AAA POD Server	362
Verifying AAA POD Server	362
Monitoring and Maintaining AAA POD Server	363
Configuration Example for RADIUS Packet of Disconnect	363
Cisco 10000 Series Router PXF Stall Monitor	365
Feature History of Cisco 10000 Series Router PXF Stall Monitor	365
Information about Cisco 10000 Series Router PXF Stall Monitor	365
Recovery Actions	367
Restrictions for Cisco 10000 Series Router PXF Stall Monitor	367

Match case Limit results 1 per page

5-44

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 5

Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server

L2TP Network Server

Configuring Vendor-Specific Attributes on RADIUS

Cisco IOS Release 12.2(15)BX adds Cisco-specific VPDN RADIUS attributes to support RADIUS

tunnel authentication. To configure the RADIUS server for tunnel authentication, you must configure

the following vendor-specific attributes (VSAs) on the RADIUS server:

•

vpdn-vtemplate—Specifies the virtual template number to use for cloning on the LNS. This attribute

corresponds to the virtual template associated with the local VPDN group on the LNS. This attribute

is not required if you used the

vpdn tunnel authorization virtual-template

vtemplate num

command on the LNS to configure a default virtual template to use for cloning.

Cisco:Cisco-Avpair = ”vpdn:vpdn-vtemplate = <vtemplate number>”

•

dout-dialer—Specifies the LAC dialer to use on the LAC for a dialout configuration.

Cisco:Cisco-Avpair = “vpdn:dout-dialer = <LAC dialer number>”

•

Service-Type—Specifies an outbound or inbound service type. In the tunnel authorization request,

the LNS sets the Service-Type attribute to Outbound. Therefore, in the RADIUS configuration you

must also configure an Outbound Service-Type.

Service-Type = Outbound

Note

•

For information about RADIUS attributes supported on the Cisco 10000 series router, see

Appendix A, “RADIUS Attributes”

or see the “RADIUS Attributes” appendix in the

Cisco IOS Security Configuration Guide, Release 12.2

•

For more information about configuring RADIUS, see your RADIUS user documentation.

Example 5-15

is a RADIUS configuration that allows the LNS to terminate L2TP tunnels from a LAC.

In this configuration, VirtualTemplate10 is used to clone a virtual access interface (VAI) on the LNS.

Example 5-15

Configuring RADIUS for LNS Termination of L2TP Tunnels from a LAC

myLACname

Password = “cisco”

Service-Type = Outbound,

Tunnel-Type = :0:l@TP,

Tunnel-Medium-Type = :o:IP,

Tunnel-Client-Auth-ID = :0:”myLACname”,

Tunnel-Password = :0:”mytunnelpassword”,

Cisco:Cisco-Avpair = “vpdn:vpdn-vtemplate=10”

Example 5-16

is an LNS configuration that supports RADIUS tunnel authentication. In this

configuration, a RADIUS server group is defined using the

aaa group server radius VPDN-Group

command. The

aaa authorization network mymethodlist group VPDN-Group

command queries

RADIUS for network authorization.

Example 5-16

Configuring the LNS to Support RADIUS Tunnel Authentication

aaa group server radius VPDN-Group

server 64.102.48.91 auth-port 1645 acct-port 1646

aaa authorization network mymethodlist group VPDN-Group

vpdn tunnel authorization network mymethodlist

vpdn tunnel authorization virtual-template 10