|
The CiscoSecure ACS 2.1 for Windows NT supports authentication forwarding of Virtual Private Dialup Network (VPDN) requests. There are two basic types of "roaming" users: Internet and intranet; VPDN addresses the requirements of roaming intranet users. This chapter provides information about the VPDN process and how it affects the operation of the CiscoSecure ACS.
This section describes the steps for processing VPDN requests in a standard environment.
Step 1 A VPDN user dials in to the NAS. The standard call/PPP setup is done. A username and password are sent to the NAS in the format username@domain (for example, mary@corporation.us). See Figure E-1.
Step 2 If VPDN is enabled, the NAS will assume that the user is a VPDN user. The NAS strips off the "username@" (mary@) portion of the username and authorizes (not authenticates) the domain portion (corporation.us) with the ACS. See Figure E-2.
Step 3 If the domain authorization fails, the NAS assumes the user is not a VPDN user. The NAS then authenticates (not authorizes) the user as if the user is a standard non-VPDN dial user. See Figure E-3.
If the ACS authorizes the domain, it returns the Tunnel ID and the IP address of the home gateway (HG); these are used to create the tunnel. See Figure E-4.
Step 4 The HG uses its ACS to authenticate the tunnel, where the username is the name of the tunnel (nas_tun). See Figure E-5.
Step 5 The HG now authenticates the tunnel with the NAS, where the username is the name of the HG. This name is chosen based on the name of the tunnel, so the HG might have different names depending on the tunnel being set up. See Figure E-6.
Step 6 The NAS now uses its ACS to authenticate the tunnel from the HG. See Figure E-7.
Step 7 After authenticating, the tunnel is established. Now the actual user (mary@corporation.us) must be authenticated. See Figure E-8.
Step 8 The HG now authenticates the user as if the user dialed directly in to the HG. The HG might now challenge the user for a password. The CiscoSecure ACS at the RSP can be configured to strip off the @ and domain before it passes the authentication to the HG. (The user is passed as mary@corporation.us.) The HG uses its ACS to authenticate the user. See Figure E-9.
Step 9 If another user (sue@corporation.us) dials in to the NAS while the tunnel is up, the NAS does not repeat the entire authorization/authentication process. Instead, it passes the user through the existing tunnel to the HG. See Figure E-10.
|