Cisco 10000 User Manual

5-44

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server

L2TP Network Server

Configuring Vendor-Specific Attributes on RADIUS

Cisco IOS Release 12.2(15)BX adds Cisco-specific VPDN RADIUS attributes to support RADIUS
tunnel authentication. To configure the RADIUS server for tunnel authentication, you must configure
the following vendor-specific attributes (VSAs) on the RADIUS server:

•

vpdn-vtemplate—Specifies the virtual template number to use for cloning on the LNS. This attribute
corresponds to the virtual template associated with the local VPDN group on the LNS. This attribute
is not required if you used the vpdn tunnel authorization virtual-template <vtemplate num>
command on the LNS to configure a default virtual template to use for cloning.

Cisco:Cisco-Avpair = ”vpdn:vpdn-vtemplate = <vtemplate number>”

•

dout-dialer—Specifies the LAC dialer to use on the LAC for a dialout configuration.

Cisco:Cisco-Avpair = “vpdn:dout-dialer = <LAC dialer number>”

•

Service-Type—Specifies an outbound or inbound service type. In the tunnel authorization request,
the LNS sets the Service-Type attribute to Outbound. Therefore, in the RADIUS configuration you
must also configure an Outbound Service-Type.

Service-Type = Outbound

Note

•

For information about RADIUS attributes supported on the Cisco 10000 series router, see

Appendix A, “RADIUS Attributes”

or see the “RADIUS Attributes” appendix in the

Cisco IOS Security Configuration Guide, Release 12.2.

•

For more information about configuring RADIUS, see your RADIUS user documentation.

Example 5-15

is a RADIUS configuration that allows the LNS to terminate L2TP tunnels from a LAC.

In this configuration, VirtualTemplate10 is used to clone a virtual access interface (VAI) on the LNS.

Example 5-15 Configuring RADIUS for LNS Termination of L2TP Tunnels from a LAC

myLACname

Password = “cisco”

Service-Type = Outbound,

Tunnel-Type = :0:l@TP,

Tunnel-Medium-Type = :o:IP,

Tunnel-Client-Auth-ID = :0:”myLACname”,

Tunnel-Password = :0:”mytunnelpassword”,

Cisco:Cisco-Avpair = “vpdn:vpdn-vtemplate=10”

Example 5-16

is an LNS configuration that supports RADIUS tunnel authentication. In this

configuration, a RADIUS server group is defined using the aaa group server radius VPDN-Group
command. The aaa authorization network mymethodlist group VPDN-Group command queries
RADIUS for network authorization.

Example 5-16 Configuring the LNS to Support RADIUS Tunnel Authentication

aaa group server radius VPDN-Group

server 64.102.48.91 auth-port 1645 acct-port 1646

aaa authorization network mymethodlist group VPDN-Group

vpdn tunnel authorization network mymethodlist

vpdn tunnel authorization virtual-template 10