Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LNS vpdn virtual template selection

Hello all..

I've got a tricky question.

on a VPDN Scenario: client ------ LAC ------- LNS

The usernames are devided to lets say

user#vpn1@company and

user#vpn2@company

LAC based on '@' domain delimiter will send all @company users on LNS

is there a way for LNS to assign different virtual template on #vpn1@company users and different template on #vpn2@company users?

I was trying in another way to implement what i want, with multihop and send #vpn1@company on LNS1 and #vpn2@company LNS2 but it didnt work..

Anyway, any ideas for the above? btw I have no access on LAC...

Rgrds

5 REPLIES
Cisco Employee

Re: LNS vpdn virtual template selection

YES..you can do that.. You can use the advantage of "Per-User VPDN forwarding" on LAC using command "authen-before-forward".

So with that feature, LAC sends the entire structured username to the authentication, authorization, and accounting (AAA) server the first time the router contacts the AAA server. This enables the LAC to customize tunnel attributes for individual users who use a common domain name or DNIS.

Here is the best url which talks exactly that

http://www.cisco.com/warp/public/793/access_dial/vpdn-username.shtml

with that you can use different tunnel name or hostname for tunnel authentication on per-user basis. That way LNS is will differentiate those users based on the tunnel name.

Also with "Per-User forwarding", you can send individual users to different LNS for termination too by chaning "vpdn:ip-addresses= x.x.x.x" field for LNS ip address.

Cisco Employee

Re: LNS vpdn virtual template selection

Sorry forgot that you don't have access to LAC.. But you can use the same feature on LNS too using "VPDN Multihop". That way LNS1 will send the complete username with domain to AAA and AAA reply with tunnel attributes to be initiated to another LNS2

New Member

Re: LNS vpdn virtual template selection

Hello again, and thank you for your answer.

I guess multihop and 2nd (3rd etc) LNS is the only solution

Thanx again!

Cisco Employee

Re: LNS vpdn virtual template selection

One option if the format of the username is always going to be the same # may be to change the default domain delimiter on your LNS from @ to # and then match on a different vpdn-group based upon the domain, so you can use:-

ESR10008-LAC(config)#vpdn domain-delimiter ?

WORD Set of @, /, %, #, - or \ (quote strings containing #, enter \ as \\)

Depending upon how many different user sets you have, this might become a bit difficult to manage on each LNS, but if you only have a few, then it should be ok.

I guess the alternative question is why do you want to use a different vtemplate for different groups of users and depending upon what the reason for that, can we achieve the same result by some other method from different vtemplates ?

New Member

Re: LNS vpdn virtual template selection

Well, what if the LAC has '@' for domain delimiter, and the LNS has '#' ?

p.e. LAC has one vpdn-group for all @company users and the LNS has 2 vpdn-groups, one for #vpn1@company and one for #vpn2@company.

Will this scenario work?

As far as the vtemplate is concerned, it has something to do with vrf's on an MPLS backbone.. Each set of users must get on a different vrf.. thats briefly the case, allthough i dont know the details..

Rgrds

423
Views
3
Helpful
5
Replies