Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

l2tp tunnel authentication

Hi,

I've set up a LAC with no l2tp tunnel authentication but I'm getting a challenge in the SCCRQ at the LNS.

lac conf..

vpdn enable

!

vpdn-group 1

request-dialin

protocol l2tp

no l2tp tunnel authentication

LAC is a 7206xvr running 12.2(8) ZB8

lns debug...

4w2d: Tnl 91 L2TP: GOt a challenge in SCCRQ, model-pdsn

any help would be appreciated,

cheers

paul

6 REPLIES
Bronze

Re: l2tp tunnel authentication

Do you see the LAC send the challenge in the LAC debug ?

Daniel

Community Member

Re: l2tp tunnel authentication

yes...

also noticed that changing the local name in the LAC config has no effect...the hostname is always seen in the LNS debug as the source of the SCCRQ.

When i change the local name in the LNS the changes are seen in the LAC debug as expected.

Bronze

Re: l2tp tunnel authentication

Thats very strange. If you are running Cisco LNS, and LAC I would recommend trying to run L2F as the protocol instead of L2TP. It essentially works the same way. And if the behavior is still the same I would recommend opening a TAC case for this. The LAC is not behaving appropriately.

Daniel

Community Member

Re: l2tp tunnel authentication

thanks for the advice...I've now opened a case..

I've found that nothing within the vpdn-group has any effect, in the end I used radius to assign tunnel password. I can't use l2f as the LAC could be tunelling to non-Cisco LNSs within our core network...

cheers

paul

Community Member

Re: l2tp tunnel authentication

Hello,

I have also noticed this in 12.2(15)T7. Has this been acknowledged by TAC?

Jan

Community Member

Re: l2tp tunnel authentication

Hi,

I've since found that if you use radius authorisation it overrides anything in the vpdn-group. As we use Radius to get the tunnel endpoint the vpdn-group settings are not used. Unfortunately there is no Cisco AVP that you can send to disable tunnel authentication via RADIUS so I've been told by tac. Therefore it appears that if you use RADIUS then you MUST use tunnel Authentication.

576
Views
0
Helpful
6
Replies
CreatePlease to create content