|
|
RADIUS is a security server authentication, authorization, and accounting (AAA) protocol originally developed by Livingston, Inc. RADIUS uses attribute value (AV) pairs to communicate information between the security server and the network access server. RFC 2058 describes the basic functionality of RADIUS and the original set of Internet Engineering Task Force (IETF)-standard AV pairs used to send AAA information. RFC 2138 and RFC 2139 extend the IETF-defined set of AV pairs to include attributes specific to virtual private dial-up networks (VPDNs)---tunnel attributes used to carry the tunneling information between the RADIUS server and the tunnel initiator.
In the past, Cisco routers and access servers have only been able to support VPDN tunnel attributes by using extensions to the Cisco vendor-specific Attribute 26. This feature enables Cisco routers and access servers to support the new RADIUS IETF-standard VPDN tunnel attributes. These new standard RADIUS attributes (and the corresponding TACACS+ AV pairs) are listed in Table 1.
| Number | IETF RADIUS Tunnel Attribute | Equivalent TACACS+ Attributes | Description |
|---|---|---|---|
64 | Tunnel-Type | tunnel-type | Indicates the tunneling protocol(s) used. There are two possible values for this attribute: L2TP and L2F. If this attribute is not set, L2F is used as a default. |
65 | Tunnel-Medium-Type | tunnel-medium-type | Indicates the transport medium type to use to create a tunnel. This attribute only has one available value for this release: IP. If no value is set for this attribute, IP is used as the default. |
67 | Tunnel-Server-Endpoint | ip-address X25-address frame-relay | Indicates the address of the server end of the tunnel. This attribute is converted into different AAA attributes based on the value of Tunnel-Medium-Type: AAA_ATTR_ip_addresses, AAA_ATTR_x25_addresses, and AAA_ATTR_frame_relay. Because this release only supports IP as a tunnel medium type, the IP address or the host name of LNS is valid for this attribute. |
69 | Tunnel-Password | l2tp-tunnel-password nas-password (L2F only) gw-password (L2F only) | Defines the password to be used to authenticate to a remote server. This attribute is converted into different AAA attributes based on the value of Tunnel-Type: AAA_ATTR_l2tp_tunnel_pw (L2TP), AAA_ATTR_nas_password (L2F), and AAA_ATTR_gw_password (L2F). |
82 | Tunnel-Assignment-ID | tunnel-id | Indicates to the tunnel initiator the particular tunnel to which a session is assigned. |
RADIUS tunnel attributes enable Cisco network access servers to support VPDN using IETF-standard attributes, which provides more interoperability with other devices in a multivendor network. These attributes can also be used with a variety of tunnel types (including L2TP, L2F, PPTP, GRE, and IPSec), providing a standard way for Internet service providers (ISPs) to configure tunnel parameters on AAA servers.
RADIUS tunnel attributes use a new attribute format, as defined in draft-ietf-radius-tunnel-auth-06. The new attribute format contains an additional field---a Tag field. Your RADIUS server must support tagged attributes to use RADIUS tunnel attributes. If you define tunnel attributes in the VPDN user profile and your RADIUS server does not support tagged attributes, false Access-Accept packets could be sent to the network access server, causing authorization failure.
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
To use RADIUS tunnel attributes, the following prerequisite tasks must be completed:
None
The following is a basic L2TP configuration for the LAC for the topology shown in Figure 1. The local name is not defined, so the host name used is the local name. Because the L2TP tunnel password is not defined, the username password is used. In this example, VPDN is configured locally on the LAC and does not take advantage of the new RADIUS tunnel attributes.
! Enable AAA globally aaa new-model ! Enable AAA authentication for PPP and list the default method to use for PPP authentication aaa authentication ppp default local ! Define the username as "DJ" username DJ password 7 030C5E070A00781B ! Enable VPDN vpdn enable ! Define VPDN group number 1 vpdn-group 1 ! Allow the LAC to respond to dialin requests using L2TP from IP address 172.21.9.13 domain "cisco.com" request dialin l2tp ip 172.21.9.13 domain cisco.com
The following example shows how to configure the LAC if RADIUS tunnel attributes are supported. In this example, there is no local VPDN configuration on the LAC; the LAC instead is configured to query the remote RADIUS security server.
! Enable global AAA securities services. aaa new-model ! Enable AAA authentication for PPP and list the RADIUS as the default method to use for PPP authentication aaa authentication ppp default radius local ! Enable AAA (network) authorization and list RADIUS as the default method to use for authorization aaa authorization network default radius ! Define the username as "DJ" username DJ password 7 030C5E070A00781B ! Enable VPDN vpdn enable ! Configure the LAC to interface with the remote RADIUS security server. radius host 171.69.1.1 auth-port 1645 acct-port 1646 radius-server key cisco
The following is a basic L2TP configuration example with corresponding comments on the LNS for the topology shown in Figure 1.
! Enable AAA globally aaa new-model ! Enable AAA authentication for PPP and list the default method to use for PPP authentication aaa authentication ppp default local ! Define the username as "partner" username partner password 7 030C5E070A00781B ! create virtual-template 1 and assign all values for virtual access interfaces interface Virtual-Template1 ! Borrow the IP address from interface ethernet 1 ip unnumbered Ethernet0 ! Disable multicast fast switching no ip mroute-cache ! Use CHAP to authenticate PPP ppp authentication chap ! Enable VPDN vpdn enable ! Create vpdn-group number 1 vpdn-group 1 ! Accept all dialin l2tp tunnels from virtual-template 1 from remote peer DJ accept dialin l2tp virtual-template 1 remote DJ
The following is an example of a RADIUS user profile (Merit Daemon format) that includes RADIUS tunneling attributes:
domain.com Password="cisco" Service-Type=Outbound Tunnel-Type = :1:L2TP Tunnel-Medium-Type = :1:IP Tunnel-Server-Endpoint = :1:10.0.0.1 Tunnel-Password = :1:"welcome" Tunnel-Assignment-ID = :1:"nas"
No new IOS command were added or modified for this feature.
Layer 2 Tunnel Protocol (L2TP)---A Layer 2 tunneling protocol that is an extension to the PPP protocol used for Virtual Private Networks (VPNs). L2TP merges the best features of two existing tunneling protocols: PPTP from Microsoft and L2F from Cisco. It is the emerging IETF standard, currently being drafted by participants from Ascend, Cisco Systems, Copper Mountain Networks, IBM, Microsoft, and 3Com.
L2TP access concentrator (LAC)---An L2TP device that the client directly connects to and whereby PPP frames are tunneled to the L2TP network server (LNS). The LAC needs only implement the media over which L2TP is to operate to pass traffic to one or more LNS. It can tunnel any protocol carried within PPP. The LAC is the initiator of incoming calls and the receiver of outgoing calls. Analogous to the Layer 2 Forwarding (L2F) network access server.
L2TP network server (LNS)---Termination point for L2TP tunnel and access point where PPP frames are processed and passed to higher layer protocols. An LNS operates on any platform capable of PPP termination. The LNS handles the server side of the L2TP protocol. L2TP relies only on the single medium over which L2TP tunnels arrive. The LNS may have a single LAN or WAN interface, yet still be able to terminate calls arriving at any of the L2TP access concentrator's (LAC's) full range of PPP interfaces (for example, asynchronous, synchronous, ISDN, or V.120). The LNS is the initiator of outgoing calls and the receiver of incoming calls. Analogous to the Layer 2 Forwarding (L2F) home gateway (HGW).
tunnel---A virtual pipe between the L2TP access concentrator (LAC) and L2TP network server (LNS) that can carry multiple PPP sessions.
Virtual Private Dial-up Network (VPDN)---A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPDNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the L2TP network server (LNS), instead of the L2TP access concentrator (LAC).
Posted: Thu Jul 29 10:53:01 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.