Hi there,

i'm trying to setup cisco router to act like pptp concentrator.On this router, i think to terminate two kind of pptp connections:

- to core

- to colleagues

For this reason, i need to setup two vpdn-groups because , i need different local-ip addres for my CORE devices and other for the vpn clients (colleagues). My configuration is attached bellow

[snipped from running-config]

aaa new-model

aaa authentication ppp default group radius

aaa authorization network default group radius if-authenticated

vpdn enable

vpdn authen-before-forward

vpdn tunnel authorization network default

vpdn-group clients

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

session-limit 50

local name VPN-Router

!

vpdn-group core

accept-dialin

protocol pptp

virtual-template 2

session-limit 5

local name border

interface Virtual-Template1

description PPTP Clients interface

ip address 192.168.25.100 255.255.255.0

ip mtu 1460

compress lzs

ppp encrypt mppe auto

ppp authentication chap ms-chap ms-chap-v2

!

interface Virtual-Template2

ip address 10.0.0.1 255.255.255.240

description Core devices

ip mtu 1460

load-interval 30

compress mppc

ppp encrypt mppe auto

ppp authentication ms-chap ms-chap-v2

!

[/snip]

To differing who is vpn client and which pptp needs to be considered as core link, i'm trying to setup Cisco AVPairs with radius like that:

border#test aaa group radius username password legacy

Attempting authentication test to server-group radius using radius

User was successfully authenticated.

Apr 12 2007 22:17:32.971 EEST: RADIUS: Pick NAS IP for u=0x43FE4A2C tableid=0 cfg_addr=radius.server.tld

Apr 12 2007 22:17:32.971 EEST: RADIUS: ustruct sharecount=1

Apr 12 2007 22:17:32.971 EEST: Radius: radius_port_info() success=0 radius_nas_port=1

Apr 12 2007 22:17:32.971 EEST: RADIUS(00000000): Send Access-Request to radius.server.tld:1812 id 1645/41, len 56

Apr 12 2007 22:17:32.971 EEST: RADIUS: authenticator 76 BC 13 6F 4B FC 5F 42 - 12 D1 E2 2F CE 47 A4 4F

Apr 12 2007 22:17:32.971 EEST: RADIUS: NAS-IP-Address [4] 6 my-router.ip.tld

Apr 12 2007 22:17:32.971 EEST: RADIUS: NAS-Port-Type [61] 6 Async [0]

Apr 12 2007 22:17:32.971 EEST: RADIUS: User-Name [1] 6 "main"

Apr 12 2007 22:17:32.971 EEST: RADIUS: User-Password [2] 18 *

Apr 12 2007 22:17:32.983 EEST: RADIUS: Received from id 1645/41 radius.server.tld:1812, Access-Accept, len 67

Apr 12 2007 22:17:32.983 EEST: RADIUS: authenticator 16 10 FD 06 97 57 32 35 - 16 B0 B8 E7 5A E3 4A BD

Apr 12 2007 22:17:32.983 EEST: RADIUS: Framed-Protocol [7] 6 PPP [1]

Apr 12 2007 22:17:32.983 EEST: RADIUS: Framed-IP-Address [8] 6 10.0.0.13

Apr 12 2007 22:17:32.983 EEST: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.240

Apr 12 2007 22:17:32.983 EEST: RADIUS: Framed-MTU [12] 6 1460

Apr 12 2007 22:17:32.983 EEST: RADIUS: Vendor, Cisco [26] 23

Apr 12 2007 22:17:32.983 EEST: RADIUS: Cisco AVpair [1] 17 "vpdn:vpdn-group=core"

Apr 12 2007 22:17:32.983 EEST: RADIUS: saved authorization data for user 43FE4A2C at 440F71DC

So ... as you can see, there is Cisco AVPair, but my router didn't use it. The router still use the first available vpdn-group (clients) and use the Virtual-template 1 interface for this connection. Does anyone know why? I need to setup my router to read the AVpairs from radius reply message. Is it possible to do that at all?

Here is the radius Accept-Accept message sent to router:

Sending Access-Accept of id 43 to radius.server.tld:1645

Framed-Protocol = PPP

Framed-IP-Address = 10.0.0.13

Framed-IP-Netmask = 255.255.255.240

Framed-MTU = 1460

Cisco-AVPair = "vpdn:vpdn-group=core"

THanks in advance!