Named method lists, Framed-route vrf aware – Cisco 10000 User Manual

5-27

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server

L2TP Network Server

Named Method Lists

To configure authentication, authorization, and accounting (AAA), you first define a named list of
methods and then apply that list to various interfaces. The named method list defines the types of
authentication or accounting to be performed and the sequence in which they will be performed. You
must apply the method list to a specific interface before any defined authentication methods are
performed. The only exception is the default method list, which is automatically applied to all interfaces
except those that have a named method list explicitly defined. A defined method list overrides the default
method list.

An authentication method list lists the methods to be queried to authenticate users. An accounting
method list lists the methods used to support accounting. Method lists enable you to designate one or
more security protocols to be used for authentication or accounting, thus ensuring a backup system for
authentication or accounting in case the initial method fails. Cisco IOS software uses the first listed
method to authenticate users or to support accounting. If that method fails to respond, the Cisco IOS
software selects the next authentication or accounting method listed in the method list. This process
continues until successful communication with a listed authentication or accounting method occurs, or
all methods defined in the method list are exhausted.

The Cisco IOS software attempts authentication with the next listed authentication method only when
there is no response from the previous method. If authentication fails at any point in this cycle (for
example, the RADIUS server responds by denying user access), the authentication process stops and no
other authentication methods are attempted.

For more information, see the “Configuring Authentication” chapter in the Cisco IOS Security
Configuration Guide, Release 12.2.

Framed-Route VRF Aware

The Framed-Route VRF aware feature allows you to apply static IP routes to a specific VRF table instead
of the global routing table. This feature makes RADIUS Attribute 22 (Framed-Route) and a combination
of Attribute 8 (Framed-IP-Address) and Attribute 9 (Framed-IP-Netmask) aware of VRF instances.

You can configure a per-user static route by using the Framed-Route attribute in any of the following
ways:

•

Using the Cisco route command

•

Using the RADIUS Framed-Route attribute

Note

When the PE router receives a Framed-Route attribute from the RADIUS server, the PE
determines if the user is a VPN customer. If so, then the static route is implemented in the
VRF routing table to which the user belongs.

•

Using the RADIUS Framed-IP-Address or Framed-IP-Netmask attribute

Note

The Framed-IP-Netmask attribute has the same function as the Framed-Route attribute.