cc/td/doc/product/software/ios113ed/113aa
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

VPDN Per-User Configuration

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Configuration Example

Command Reference

VPDN Per-User Configuration

This document includes the following sections:

Feature Overview

In a virtual private dialup network (VPDN) that uses remote AAA, when a user dials in, the access server that receives the call forwards information about the user to its remote AAA server. With basic VPDN, the access server only sends the user's domain name (when performing domain name-based authentication) or the telephone number the user dialed in from (when performing DNIS-based authentication).

The VPDN Per-User Configuration feature sends the entire structured username to the AAA server the first time the router contacts the AAA server. This enables the Cisco IOS software to customize tunnel attributes for individual users who use a common domain name or dialed number identification service (DNIS).

Previously, Cisco IOS sent only the domain name or DNIS to determine VPDN tunnel attribute information. Then, if no VPDN tunnel attributes were returned, Cisco IOS sent the entire username string. Because of this behavior, there was no way to define specific tunnel attributes for a particular user within a domain. It also limited the types of connections that were possible in a RADIUS proxy VPDN roaming environment. All VPDN users were forwarded to the tunnel endpoint, even if they just needed generic Internet access.

Benefits

The VPDN Per-User Configuration feature adds new flexibility to Cisco IOS VPDN functionality. It enables you to customize tunnel attributes for individual users who use a common domain name or DNIS.

This feature also enables you to specify whether or not a user is forwarded to the tunnel endpoint or given generic Internet access.

Restrictions

The VPDN Per-User Configuration feature only supports RADIUS as the AAA protocol.

This feature is currently not supported for TACACS+.

Related Documents

For more information about Cisco VPDN and dialout technologies, see the following documents:

Supported Platforms

Supported Standards, MIBs, and RFCs

MIBs

For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

L2TP RFC

Standards

Configuration Tasks

Perform the following task to configure the VPDN Per-User Configuration feature.

Configuring Per-User VPDN

To configure per-user VPDN, use the following commands:

Step Command Purpose

1 . 

Router(config)#vpdn-group group-number

Enters VPDN group configuration mode.

2 . 

Router(config-vpdn)#request dialin

Enables the router to request dial-in tunnels and enters request dial-in VPDN sub-group configuration mode.

3 . 

Router(config-vpdn-req-in)#protocol [l2f|l2tp]

Specifies the protocol that is used for dial-in tunnels.

4 . 

Router(config-vpdn-req-in)#domain domain-name

Specifies that users with this domain name will be tunnelled. Configure this command for every domain name you want to tunnel.

Router(config-vpdn-req-in)#dnis dialed-number

Specifies that users dialing in from this number will be tunnelled. Configure this command for every number you want to tunnel.

5 . 

Router(config-vpdn-req-in)#exit

Return to VPDN group configuration mode.

6 . 

Router(config-vpdn)#initiate-to ip-address

Specifies that this VPDN group will initiate tunnels to his IP address.

7 . 

Router(config-vpdn)#local name name

Specifies the local name that is used to authenticate the tunnel.

8 . 

Router(config-vpdn)#authen before-forward

Specifies that VPDN sends the entire structured username to the AAA server the first time the router contacts the AAA server.

Verifying Per-User VPDN

To verify the VPDN Per-User Configuration feature, use the show vpdn command.

Configuration Example

In the following example, the router is configured to send the entire username to the AAA server the first time it contacts the AAA server:

vpdn-group 1 request dialin protocol l2f domain philzone.com initiate-to ip 10.0.0.1 local name unbrokenchain authen before-forward

Command Reference

This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command references.

authen before-forward

To specify that VPDN send the entire structured username to the AAA server the first time the router contacts the AAA server, use the authen before-forward command in VPDN group configuration mode. Use the no form of this command to send just the domain name or DNIS.

authen before-forward
no authen before-forward

Syntax Description

This command has no keywords or arguments.

Defaults

No default behavior or values.

Command Modes

VPDN group mode

Command History

Release Modification

11.3(9) AA

This command was introduced.

Usage Guidelines

You must enable the request-dialin command on the VPDN group before you can use the authen before-forward command.

Examples

The following example creates a VPDN group that send the entire username to the AAA server when a user dials in with a username that has the domain name philzone.com:

vpdn-group 1 request dialin protocol l2f domain philzone.com initiate-to ip 10.0.0.1 local name unbrokenchain authen before-forward

Related Commands

Command Description

request dialin

Enables a router to request either L2F or L2TP tunnels for dial-in.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue Jul 27 14:15:15 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.