|
|
This document includes the following sections:
In a virtual private dialup network (VPDN) that uses remote AAA, when a user dials in, the access server that receives the call forwards information about the user to its remote AAA server. With basic VPDN, the access server only sends the user's domain name (when performing domain name-based authentication) or the telephone number the user dialed in from (when performing DNIS-based authentication).
The VPDN Per-User Configuration feature sends the entire structured username to the AAA server the first time the router contacts the AAA server. This enables the Cisco IOS software to customize tunnel attributes for individual users who use a common domain name or dialed number identification service (DNIS).
Previously, Cisco IOS sent only the domain name or DNIS to determine VPDN tunnel attribute information. Then, if no VPDN tunnel attributes were returned, Cisco IOS sent the entire username string. Because of this behavior, there was no way to define specific tunnel attributes for a particular user within a domain. It also limited the types of connections that were possible in a RADIUS proxy VPDN roaming environment. All VPDN users were forwarded to the tunnel endpoint, even if they just needed generic Internet access.
The VPDN Per-User Configuration feature adds new flexibility to Cisco IOS VPDN functionality. It enables you to customize tunnel attributes for individual users who use a common domain name or DNIS.
This feature also enables you to specify whether or not a user is forwarded to the tunnel endpoint or given generic Internet access.
The VPDN Per-User Configuration feature only supports RADIUS as the AAA protocol.
This feature is currently not supported for TACACS+.
For more information about Cisco VPDN and dialout technologies, see the following documents:
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
L2TP RFC
Perform the following task to configure the VPDN Per-User Configuration feature.
To configure per-user VPDN, use the following commands:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#vpdn-group group-number
| Enters VPDN group configuration mode. | ||
| Router(config-vpdn)#request dialin
| Enables the router to request dial-in tunnels and enters request dial-in VPDN sub-group configuration mode. | ||
| Router(config-vpdn-req-in)#protocol [l2f|l2tp]
| Specifies the protocol that is used for dial-in tunnels. | ||
| Router(config-vpdn-req-in)#domain domain-name
| Specifies that users with this domain name will be tunnelled. Configure this command for every domain name you want to tunnel. | ||
| Router(config-vpdn-req-in)#dnis dialed-number
| Specifies that users dialing in from this number will be tunnelled. Configure this command for every number you want to tunnel. | ||
| Router(config-vpdn-req-in)#exit
| Return to VPDN group configuration mode. | ||
| Router(config-vpdn)#initiate-to ip-address
| Specifies that this VPDN group will initiate tunnels to his IP address. | ||
| Router(config-vpdn)# | Specifies the local name that is used to authenticate the tunnel. | ||
| Router(config-vpdn)#authen before-forward
| Specifies that VPDN sends the entire structured username to the AAA server the first time the router contacts the AAA server. |
To verify the VPDN Per-User Configuration feature, use the show vpdn command.
In the following example, the router is configured to send the entire username to the AAA server the first time it contacts the AAA server:
vpdn-group 1
request dialin
protocol l2f
domain philzone.com
initiate-to ip 10.0.0.1
local name unbrokenchain
authen before-forward
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.
To specify that VPDN send the entire structured username to the AAA server the first time the router contacts the AAA server, use the authen before-forward command in VPDN group configuration mode. Use the no form of this command to send just the domain name or DNIS.
authen before-forwardThis command has no keywords or arguments.
No default behavior or values.
VPDN group mode
| Release | Modification |
11.3(9) AA | This command was introduced. |
You must enable the request-dialin command on the VPDN group before you can use the authen before-forward command.
The following example creates a VPDN group that send the entire username to the AAA server when a user dials in with a username that has the domain name philzone.com:
vpdn-group 1
request dialin
protocol l2f
domain philzone.com
initiate-to ip 10.0.0.1
local name unbrokenchain
authen before-forward
| Command | Description |
request dialin | Enables a router to request either L2F or L2TP tunnels for dial-in. |
Posted: Tue Jul 27 14:15:15 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.