Cisco 10000 User Manual
Page 190
5-26
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server
L2TP Network Server
Figure 5-4
Tunnel Authorization and Authentication
, typically, a tunnel RADIUS server is used for tunnel authorization and a
separate user RADIUS server is used for RADIUS tunnel authentication. The following describes the
sequence of events that occur for tunnel authorization and authentication:
1.
The LNS gets a Start-Control-Connection-Request (SCCRQ) and starts tunnel initialization and
authorization.
2.
The LNS makes an authorization request to the RADIUS server. This request includes the name of
the LAC device that initiated the tunnel. The RADIUS server uses the LAC name in determining
user authorization.
3.
The RADIUS server determines if local or RADIUS authorization should be done. If authorization
is done locally, the LNS searches the VPDN groups. If RADIUS authorization is to be done, the
RADIUS server makes a RADIUS request to the LNS. This request includes the LAC host name and
a hardwired password.
4.
The LNS checks RADIUS attributes 90 (Tunnel-Client-Auth-ID) and 69 (Tunnel-Password). If the
value in attribute 90 is inconsistent with the LAC host name or the value in attribute 69 does not
match the shared secret received in the SCCRQ, the tunnel is dropped.
5.
The LNS terminates the L2TP tunnel.
6.
User authentication occurs either locally or by using the RADIUS server.
Note
•
The Cisco 10000 series router implements tunnel authentication by using Cisco-specific RADIUS
attributes. For more information about the tunnel authentication vendor-specific attributes (VSAs),
see the
“Configuring Vendor-Specific Attributes on RADIUS” section on page 5-44
.
•
For more information about AAA authentication, see the “Configuring Authentication” chapter in
the Cisco IOS Security Configuration Guide, Release 12.2.
Client
LAC
PPPoE
L2TP
LNS
Tunnel
Radius
server
Customer
Radius
server
72672