|
|
This feature module describes enhancements to the current method of L2TP tunnel service authorization. It includes information on the benefits of the enhancements, supported platforms, related documents, and configuration information.
This document includes the following sections:
These enhancements enable the L2TP access concentrator (LAC) to conduct static or dynamic tunnel service authorization. A static domain name can be configured on the ATM PVC port to override the domain name supplied by the client. If a static domain name is not configured, the LAC conducts dynamic tunnel service authorization, which now includes two steps.
1. Domain Preauthorization--The LAC checks the client-supplied domain name against an authorized list configured on the RADIUS server for each PVC. If successful, the LAC proceeds to tunnel service authorization. If domain preauthorization fails, the LAC attempts PPP authentication/authorization for local termination.
2. Tunnel Service Authorization--The user profile on the RADIUS server provides a list of domains accessible to the user, enabling tunnel service authorization for the client-supplied domain. If successful, the LAC establishes an L2TP tunnel.
Selecting Tunnels by Virtual Connection
Static tunnel service authorization enables all PPP sessions originating from a particular PVC to be sent to the same L2TP tunnel.
Supporting Unstructured Usernames
By configuring static domain names, usernames without domain names can undergo tunnel service authorization.
Preventing Arbitrary Tunnel Creation
Domain preauthorization prevents users from creating tunnels to arbitrary LNSes by simply reconfiguring the domains on the client equipment.
Static tunnel service authorization does not support switched virtual channels (SVCs).
The L2TP Tunnel Service Authorization Enhancements are supported on the node route processor (NRP) of the Cisco 6400 universal access concentrator (UAC).
Standards
None.
MIBs
None.
RFCs
No new or modified RFCs are supported by these feature enhancements.
See the following sections for configuration tasks for the L2TP Tunnel Service Authorization Enhancements.
The static domain name can be configured on the PVC or on the VC class.
To configure the static domain name on the PVC, use the following commands beginning in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#interface atm 0/0/0[.subinterface-number] | Specifies the ATM interface and optional subinterface. |
Step 2 | Router(config-subif)#no ip directed-broadcast | Disables forwarding of directed broadcasts. |
Step 3 | Router(config-subif)# | Configures a PVC on the ATM interface or subinterface. |
Step 4 | Router(config-if-atm-vc)# | Sets encapsulation as PPP. Also specifies the virtual template interface to use to clone the new virtual access interface. |
Step 5 | Router(config-if-atm-vc))# | Configures static domain name on the PVC. |
To configure the static domain name on the VC class, use the following commands beginning in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | Router(config)#vc-class atm vc-class-name | Create and name a map class. |
Step 2 | Router(config-vc-class)#encapsulation aal5mux ppp Virtual-Template number | Sets encapsulation as PPP. Also specifies the virtual template interface to use to clone the new virtual access interface. |
Step 3 | Router(config-vc-class)#vpn service domain-name | Configures static domain name on the VC class. |
Step 4 | Router(config-vc-class)#exit | Returns to global configuration mode. |
Step 5 | Router(config)#interface atm 0/0/0[.subinterface-number] | Specifies the ATM interface and optional subinterface. |
Step 6 | Router(config-subif)# | Applies VC class to all VCs on the ATM interface or subinterface. |
To verify that you successfully configured the static domain name, use the show running-config EXEC command.
To enable the LAC to perform domain authorization before tunneling, enter the following command in global configuration mode:
| Command | Purpose |
|---|---|
Router(config)#vpdn authorize domain | Enables domain preauthorization. |
To check that you successfully enabled domain preauthorization, use the show running-config EXEC command.
To enable the LAC to communicate properly with the RADIUS server for tunnel service authorization, enter the following commands in global configuration mode:
| Command | Purpose |
|---|---|
Router(config)#radius-server host {hostname | ip-address} | Specifies the RADIUS server host. |
Router(config)#radius-server attribute nas-port format d | Selects the ATM VC extended NAS port format for RADIUS accounting features. |
Router(config)# | Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. |
Router(config)# | Configures the LAC to recognize and use vendor-specific attributes. |
To check that you successfully configured the LAC to communicate properly with the RADIUS server for tunnel service authorization, use the show running-config EXEC command.
To enable domain preauthorization, use the following configuration in the user profile on the RADIUS server.
| RADIUS Entry | Purpose |
|---|---|
nas-port:ip-address:slot/subslot/port/vpi.vci | Configures the NAS port username for domain preauthorization. |
Password = "cisco" | Sets the fixed password. |
User-Service-Type = Outbound-User | Configures the service-type as outbound. |
Cisco-AVpair = "vpdn:vpn-domain-list=domain1, domain2,..." | Specifies the domains accessible to the user. |
Syntax Description
ip-address | Management IP address of the NSP. |
slot/subslot/port | Specify ATM interface. |
vpi.vci | VPI and VCI values for the PVC. |
domain | Domain to configure as accessible to the user. |
To verify the RADIUS user profile, refer to the user documentation for your RADIUS server.
To enable tunnel service authorization, use the following configuration in the service profile on the RADIUS server.
| RADIUS Entry | Purpose |
|---|---|
domain Password "cisco" | Sets the fixed password. |
User-Service-Type = Outbound-User | Configures the service-type as outbound. |
Cisco-AVpair = "vpdn:tunnel-id=name" | Specifies the name of the tunnel that must match the LNS's VPDN terminate-from hostname. |
Cisco-AVpair = "vpdn:l2tp-tunnel-password=secret" | Specifies the secret (password) for L2TP tunnel authentication. |
Cisco-AVpair = "vpdn:tunnel-type=l2tp" | Specifies Layer 2 Tunnel Protocol. |
Cisco-AVpair = "vpdn:ip-addresses=ip-address" | Specifies IP address of LNS. |
Syntax Description
domain | Client-supplied domain. |
name | Name of the tunnel that must match the LNS's VPDN terminate-from hostname statement. |
secret | Secret (password) used for L2TP tunnel authentication. |
ip-address | IP address of LNS. |
To verify the RADIUS service profile, refer to the user documentation for your RADIUS server.
This section provides the following configuration examples:
The following example shows the static domain names "net1.com" and "net2.com" assigned to PVCs on an ATM interface. All PPP sessions originating from PVC 30/33 are sent to the "net1.com" L2TP tunnel, while all PPP sessions originating from PVC 30/34 are sent to the "net2.com" tunnel.
! interface ATM 0/0/0.33 multipoint pvc 30/33 encapsulation aal5ciscoppp Virtual-Template1 vpn service net1.com ! pvc 30/34 encapsulation aal5ciscoppp Virtual-Template1 vpn service net2.com !
In the following example, the static domain name "net.com" is assigned to a VC class. The VC class is then assigned to the VCs on an ATM subinterface.
! vc-class ATM MyClass encapsulation aal5ciscoppp Virtual-Template1 vpn service net.com ! interface ATM 0/0/0.99 multipoint class-int MyClass no ip directed-broadcast pvc 20/40 pvc 30/33 !
The following example shows the configuration necessary for the LAC to participate in domain preauthorization:
! aaa new-model aaa authorization network default local group radius ! vpdn authorize domain ! radius-server host 10.9.9.9 auth-port 1645 acct-port 1646 radius-server attribute nas-port format d radius-server key MyKey radius-server vsa send authentication !
The following example shows a domain preauthorization RADIUS user profile:
user = nas-port:10.9.9.9:0/0/0/30.33{
profile_id = 826
profile_cycle = 1
radius=Cisco {
check_items= {
2=cisco
}
reply_attributes= {
9,1="vpdn:vpn-domain-list=net1.com,net2.com"
6=5
}
}
}
The following example shows the configuration necessary for the LAC to participate in tunnel service authorization:
! aaa new-model aaa authorization network default local group radius ! radius-server host 10.9.9.9 auth-port 1645 acct-port 1646 radius-server attribute nas-port format d radius-server key MyKey radius-server vsa send authentication !
The following example shows a tunnel service authorization RADIUS service profile:
user = net1.com{
profile_id = 45
profile_cycle = 18
member = me
radius=Cisco {
check_items= {
2=cisco
}
reply_attributes= {
9,1="vpdn:tunnel-id=LAC-1"
9,1="vpdn:l2tp-tunnel_password=MySecret"
9,1="vpdn:tunnel-type=l2tp"
9,1="vpdn:ip-addresses=10.10.10.10"
6=5
}
}
}
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
To enable domain preauthorization on a NAS, use the vpdn authorize domain global configuration command. To disable domain preauthorization, use the no form of this command.
vpdn authorize domainSyntax Description
This command has no arguments or keywords.
Defaults
Domain preauthorization is disabled by default.
Command Modes
Global configuration
Command History
12.1(1) DC1 This command was introduced on the Cisco 6400 NRP.
Release
Modification
Examples
The following example enables domain preauthorization:
vpdn authorize domain
To configure a static domain name, use the vpn service ATM VC or VC class configuration command. To remove a static domain name, use the no form of this command.
vpn service domain-name
Syntax Description
domain-name Static domain name.
Defaults
No default behavior or values.
Command Modes
ATM VC or VC class
Command History
12.1(1) DC1 This command was introduced on the Cisco 6400 NRP.
Release
Modification
Examples
The following example configures the static domain name of net.com:
vpn service net.com
L2TP--Layer 2 Tunnel Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides an industry-wide interoperable method of implementing VPDN.
LAC--L2TP Access Concentrator. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP network server (LNS). The LAC sits between an LNS and a remote system and forwards packets to and from each. Packets sent from the LAC to the LNS requires tunneling with the L2TP protocol as defined in this document. The connection from the LAC to the remote system is either local or a PPP link.
LNS--L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Analogous to the Layer 2 Forwarding (L2F) home gateway (HGW).
NAS--Network access server. A device providing local network access to users across a remote access network such as the PSTN. A NAS can also serve as a LAC, LNS, or both.
RADIUS--Remote Access Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.
VC--Virtual channel. Logical circuit created to ensure reliable communication between two network devices. A VC is defined by a VPI/VCI pair, and can be either permanent (PVC) or switched (SVC).
Posted: Fri Aug 4 17:35:31 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.