- L2VPN Protocol-Based CLIs
- Any Transport over MPLS
- L2VPN Interworking
- L2VPN Pseudowire Preferential Forwarding
- L2VPN Multisegment Pseudowires
- MPLS Quality of Service
- QoS Policy Support on L2VPN ATM PVPs
- MPLS Pseudowire Status Signaling
- L2VPN VPLS Inter-AS Option B
- IEEE 802.1Q Tunneling (QinQ) for AToM
- Configuring the Managed IPv6 Layer 2 Tunnel Protocol Network Server
- L2VPN Pseudowire Redundancy
- Pseudowire Group Switchover
- L2VPN Pseudowire Switching
- Xconnect as a Client of BFD
- H-VPLS N-PE Redundancy for QinQ Access
- H-VPLS N-PE Redundancy for MPLS Access
- VPLS MAC Address Withdrawal
- Configuring Virtual Private LAN Services
- Routed Pseudo-Wire and Routed VPLS
- VPLS Autodiscovery BGP Based
- N:1 PVC Mapping to PWE with Nonunique VPIs
- QoS Policies for VFI Pseudowires
- VPLS BGP Signaling L2VPN Inter-AS Option A
- VPLS BGP Signaling L2VPN Inter-AS Option B
- Frame Relay over L2TPv3
- Loop-Free Alternate Fast Reroute with L2VPN
- Finding Feature Information
- Prerequisites for Configuring the Managed IPv6 LNS
- Information About Configuring the Managed IPv6 LNS
- How to Configure the Managed LNS
- Configuring a VRF on the LNS
- Configuring a Virtual Template Interface
- Assigning a VRF via the RADIUS Server
- Configuring the LNS to Initiate and Receive L2TP Traffic
- Limiting the Number of Sessions per Tunnel
- Configuring RADIUS Attribute Accept or Reject Lists
- Configuring AAA Accounting Using Named Method Lists
- Configuring RADIUS Tunnel Authentication Method Lists on the LNS
- Configuring the LNS for RADIUS Tunnel Authentication
- Configuring RADIUS Tunnel Authentication Method Lists on the LNS
- Configuring AAA Authentication Methods
- Configuration Examples for the Managed IPv6 Layer 2 Tunnel Protocol Network Server
- Additional References
- Feature Information for Configuring Managed IPv6 Layer 2 Tunnel Protocol Network Server
Configuring the Managed IPv6 Layer 2 Tunnel Protocol Network Server
This document describes how to enable the Managed IPv6 Layer 2 Tunnel Protocol Network Server feature.
- Finding Feature Information
- Prerequisites for Configuring the Managed IPv6 LNS
- Information About Configuring the Managed IPv6 LNS
- How to Configure the Managed LNS
- Configuration Examples for the Managed IPv6 Layer 2 Tunnel Protocol Network Server
- Additional References
- Feature Information for Configuring Managed IPv6 Layer 2 Tunnel Protocol Network Server
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring the Managed IPv6 LNS
For the router to function as an LNS, you must enable Authentication, Authorization, and Accounting (AAA) on the Layer 2 Tunnel Protocol Network Server (LNS) and the Layer 2 Access Concentrator (LAC), by entering the aaanew-model global configuration command. For more information, see the “ Authentication, Authorization, and Accounting ” chapter in the Cisco IOS XE Security: Securing User Services Configuration Guide .
Information About Configuring the Managed IPv6 LNS
L2TP Network Server
The router can function as an LNS. The LNS is a peer to the LAC and sits on one side of an L2TP tunnel. The LNS routes packets to and from the LAC and a destination network. When the router functions as an LNS, you can configure the router to terminate the PPP sessions and route the client IP packets onto the ISP or corporate network toward their final destination (see the figure below). The router can use the Managed IPv6 LNS feature to terminate L2TP sessions from the LAC and place each session into the appropriate IPv6 VRF instance based on the VRF applied to the virtual template interface or alternatively, based on the VRF received for the user through AAA. The router then routes each session within the VRF to the destination network.
Tunnel Accounting
The tunnel accounting feature enhances AAA accounting by adding the ability to include tunnel-related statistics in the RADIUS information. Before you can collect tunnel usage information, you must configure the following attributes on the RADIUS server:
- Acct-Tunnel-Connection—Specifies the identifier assigned to the tunnel session. This attribute and the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint attributes provide a way to uniquely identify a tunnel session for auditing purposes.
- Acct-Tunnel-Packets-Lost—Specifies the number of packets lost on a given link.
The table below describes the values for the Acct-Status-Type attribute that support tunnel accounting on the RADIUS server.
Acct-Status-Type Values |
Value |
Description |
---|---|---|
Tunnel-Link-Reject |
14 |
Marks the rejection of the establishment of a new link in an existing tunnel. |
Tunnel-Link-Start |
12 |
Marks the creation of a tunnel link within an L2TP tunnel that carries multiple links. |
Tunnel-Link-Stop |
13 |
Marks the destruction of a tunnel link within an L2TP tunnel that carries multiple links. |
Tunnel-Reject |
11 |
Marks the rejection of the establishment of a tunnel with another device. |
Tunnel-Start |
9 |
Marks the establishment of a tunnel with another device. |
Tunnel-Stop |
10 |
Marks the destruction of a tunnel to or from another device. |
For more information about the RADIUS tunnel accounting attributes or the Acct-Status-Type values that support RADIUS tunnel accounting, see RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support.
For information about RADIUS accounting attributes supported on the Cisco ASR 1000 Series Aggregation Services Routers, see the “RADIUS Attributes” chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services.
For more information on configuring RADIUS, see your RADIUS user documentation.
How to Configure the Managed LNS
- Configuring a VRF on the LNS
- Configuring a Virtual Template Interface
- Assigning a VRF via the RADIUS Server
- Configuring the LNS to Initiate and Receive L2TP Traffic
- Limiting the Number of Sessions per Tunnel
- Configuring RADIUS Attribute Accept or Reject Lists
- Configuring AAA Accounting Using Named Method Lists
- Configuring RADIUS Tunnel Authentication Method Lists on the LNS
- Configuring the LNS for RADIUS Tunnel Authentication
- Configuring RADIUS Tunnel Authentication Method Lists on the LNS
- Configuring AAA Authentication Methods
Configuring a VRF on the LNS
1.
enable
2.
configure
terminal
3.
vrf
definition
vrf-name
4.
rd
route-distinguisher
5.
address-family
{ipv4|ipv6}
6.
route-target
{import|export|both}
route-target-ext-community
7.
exit-address-family
8.
address-family
{ipv4|ipv6}
9.
route-target
{import|export|both}
route-target-ext-community
10.
end
11.
show
ipv6
route
vrf
vrf-name
DETAILED STEPS
Configuring a Virtual Template Interface
1.
enable
2.
configure
terminal
3.
interface
virtual-template
number
4.
vrf
forwarding
name
5.
ppp
authentication
chap
6.
end
7.
show
interfaces
virtual-access
number
[configuration]
8.
debug
ppp
chap
9.
debug
ppp
negotiation
10.
debug
ppp
negotiation
chap
DETAILED STEPS
Assigning a VRF via the RADIUS Server
1.
enable
2.
configure
terminal
3.
aaa
authorization
configuration
method-name
group
group-name
4.
ipv6
dhcp
pool
pool-name
5.
prefix-delegation
aaa
[method-listmethod-list]
6.
dns-server
ipv6-address
7.
exit
8.
interface
virtual-template
number
9.
ipv6
nd
prefix
framed-ipv6-prefix
10.
ipv6
dhcp
server
pool-name
rapid-commit
11.
end
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enters privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
authorization
configuration
method-name
group
group-name
Example: Router(config)# aaa authorization configuration DHCPv6-PD group DHCPv6-PD-RADIUS |
Downloads configuration information from the AAA server using RADIUS. |
Step 4 |
ipv6
dhcp
pool
pool-name
Example: Router(config)# ipv6 dhcp pool DHCPv6-PD |
Configures a DHCP for IPv6 configuration information pool and enters DHCP for IPv6 pool configuration mode. |
Step 5 |
prefix-delegation
aaa
[method-listmethod-list]
Example: Router(config-dhcpv6)# prefix-delegation aaa method-list DHCPv6-PD |
Specifies that prefixes are to be acquired from AAA servers. |
Step 6 |
dns-server
ipv6-address
Example: Router(config-dhcpv6)# dns-server 2001:0DB8:3000:3000::42 |
Specifies the Domain Name System (DNS) IPv6 servers available to a DHCP for IPv6 client. |
Step 7 |
exit
Example: Router(config-dhcpv6)# exit |
Exits DHCP for IPv6 pool configuration mode and enters global configuration mode. |
Step 8 |
interface
virtual-template
number
Example: Router(config)# interface virtual-template 1 |
Creates a virtual template interface that can be configured and applied dynamically in creating VAIs, and enters interface configuration mode. |
Step 9 |
ipv6
nd
prefix
framed-ipv6-prefix
Example: Router(config-if)# ipv6 nd prefix framed-ipv6-prefix |
Adds the prefix in a received RADIUS framed IPv6 prefix attribute to the interface's neighbor discovery prefix queue. |
Step 10 |
ipv6
dhcp
server
pool-name
rapid-commit
Example: Router(config-if)# ipv6 dhcp server DHCPv6-PD rapid-commit |
Enables DHCPv6 on an interface. |
Step 11 |
end
Example: Router(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
Configuring the LNS to Initiate and Receive L2TP Traffic
1.
enable
2.
configure
terminal
3.
vpdn
enable
4.
vpdn-group
group-name
5.
accept-dialin
6.
protocol
12tp
7.
virtual-template
template-number
8.
exit
9.
terminate-from
hostname
hostname
10.
end
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enters privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
vpdn
enable
Example: Router(config)# vpdn enable |
Enables VPDN networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway) if one is present. |
Step 4 |
vpdn-group
group-name
Example: Router(config)# vpdn-group group1 |
Defines a local group name for which you can assign other VPDN variables. |
Step 5 |
accept-dialin
Example: Router(config-vpdn)# accept-dialin |
Configures the LNS to accept tunneled PPP connections from the LAC and creates an accept-dialin VPDN subgroup. |
Step 6 |
protocol
12tp
Example: Router(config-vpdn-acc-in)# protocol 12tp |
Specifies the Layer 2 Tunnel Protocol. |
Step 7 |
virtual-template
template-number
Example: Router(config-vpdn-acc-in)# virtual-template 1 |
Specifies the virtual template to be used to clone VAIs. |
Step 8 |
exit
Example: Router(config-vpdn-acc-in)# exit |
Returns to VPDN group configuration mode. |
Step 9 |
terminate-from
hostname
hostname
Example: Router(config-vpdn)# terminate-from hostname lac1-vpn1 |
Specifies the hostname of the remote LAC that is required when accepting a VPDN tunnel. |
Step 10 |
end
Example: Router(config-vpdn)# end |
Exits VPDN configuration mode and returns to privileged EXEC mode. |
Limiting the Number of Sessions per Tunnel
1.
enable
2.
configure
terminal
3.
vpdn-group
group-name
4.
accept-dialin
5.
protocol
12tp
6.
virtual-template
template-number
7.
exit
8.
terminate-from
hostname
host-name
9.
session-limit
limit-number
10.
exit
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enters privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
vpdn-group
group-name
Example: Router(config)# vpdn-group group1 |
Defines a local group name for which you can assign other VPDN variables. |
Step 4 |
accept-dialin
Example: Router(config-vpdn)# accept-dialin |
Configures the LNS to accept tunneled PPP connections from the LAC and creates an accept-dialin VPDN subgroup. |
Step 5 |
protocol
12tp
Example: Router(config-vpdn-acc-in)# protocol 12tp |
Specifies the Layer 2 Tunnel Protocol. |
Step 6 |
virtual-template
template-number
Example: Router(config-vpdn-acc-in)# virtual-template 1 |
Specifies the virtual template to be used to clone VAIs. |
Step 7 |
exit
Example: Router(config-vpdn-acc-in)# exit |
Returns to VPDN group configuration mode. |
Step 8 |
terminate-from
hostname
host-name
Example: Router(config-vpdn)# terminate-from hostname test_LAC |
Specifies the hostname of the remote LAC that is required when accepting a VPDN tunnel. |
Step 9 |
session-limit
limit-number
Example: Router(config-vpdn)# session-limit 100 |
Specifies the maximum number of sessions per tunnel. |
Step 10 |
exit
Example: Router(config-vpdn)# exit |
Exits VPDN configuration mode and returns to privileged EXEC mode. |
Configuring RADIUS Attribute Accept or Reject Lists
1.
enable
2.
configure
terminal
3.
aaa
authentication
ppp
default
group
group-name
4.
aaa
authorization
network
group
group
group-name
5.
aaa
group
server
radius
group-name
6.
server-private
ip-address
[acct-portport-number][timeoutseconds] [retransmitretries] [keystring]
7.
authorization
[accept|reject]
list-name
8.
exit
9.
radius-server
attribute
list
listname
10.
attribute
value1
[value2 [value3...]]
11.
end
12.
show
accounting
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enters privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
authentication
ppp
default
group
group-name
Example: Router(config)# aaa authentication ppp default group radius_authen1 |
Specifies one or more AAA authentication methods for use on serial interfaces running PPP. |
Step 4 |
aaa
authorization
network
group
group
group-name
Example: Router(config)# aaa authorization network group group radius_authen1 |
Sets the parameters that restrict network access to the user. |
Step 5 |
aaa
group
server
radius
group-name
Example: Router(config)# aaa group server radius VPDN-Group |
Groups different RADIUS server hosts into distinct lists and distinct methods and enters server group RADIUS configuration mode. |
Step 6 |
server-private
ip-address
[acct-portport-number][timeoutseconds] [retransmitretries] [keystring]
Example: Router(config-sg-radius)# server-private 10.1.1.2 acct-port 0 timeout 7 retransmit 3 key cisco1 |
Configures the IP address of the private RADIUS server for the group server.
|
Step 7 |
authorization
[accept|reject]
list-name
Example: Router(config-sg-radius)# authorization accept vpn1-autho-list |
Specifies a filter for the attributes that are returned in an Access-Accept packet from the RADIUS server. |
Step 8 |
exit
Example: Router(config-sg-radius)# exit |
Exits server group RADIUS configuration mode and enters global configuration mode. |
Step 9 |
radius-server
attribute
list
listname
Example: Router(config)# radius-server attribute list vpn1-autho-list |
Defines the list name given to the set of attributes defined using the attribute command and enters RADIUS attribute list configuration mode. |
Step 10 |
attribute
value1
[value2 [value3...]]
Example: Router(config-radius-attrl)# attribute 26,200 |
Adds attributes to the configured accept or reject list. |
Step 11 |
end
Example: Router(config-radius-attrl)# end |
Exits RADIUS attribute list configuration mode and returns to privileged EXEC mode. |
Step 12 |
show
accounting
Example: Router# show accounting |
Displays accounting records for users currently logged in. |
Configuring AAA Accounting Using Named Method Lists
Note | System accounting does not use named method lists. For system accounting you can define only the default method list. For more information, see the “Configuring Accounting ” chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services. |
1.
enable
2.
configure
terminal
3.
aaa
accounting
network
list-name
start-stop
group
radius
4.
line
[aux |
console|
vty] [line-number]
5.
accounting
{arap|commandslevel|connection|exec|resource} [default |
list-name]
6.
end
7.
debug
aaa
accounting
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enters privileged EXEC mode. |
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
accounting
network
list-name
start-stop
group
radius
Example:
Router(config)# aaa accounting network methodlist start-stop group radius
|
Creates an accounting method list and enables accounting. |
Step 4 |
line
[aux |
console|
vty] [line-number]
Example: Router(config)# line console 0 |
Enters line configuration mode for the line to which you want to apply the accounting method list. |
Step 5 |
accounting
{arap|commandslevel|connection|exec|resource} [default |
list-name]
Example: Router(config-line)# accounting commands 15 list1 |
Applies the accounting method list to a line or a set of lines. |
Step 6 |
end
Example: Router(config-line)# end |
Exits line configuration mode and returns to privileged EXEC mode. |
Step 7 |
debug
aaa
accounting
Example: Router# debug aaa accounting |
Displays information on accountable events as they occur. |
Configuring RADIUS Tunnel Authentication Method Lists on the LNS
1.
enable
2.
configure
terminal
3.
aaa
authorization
network
list-name
method1
[method2...]
4.
vpdn
tunnel
authorization
network
lmethod-ist-name
method1
[method2...]
5.
vpdn
tunnel
authorization
virtual-template
vtemplate-number
6.
vpdn
tunnel
authorization
password
dummy-password
7.
debug
aaa
authorization
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enters privileged EXEC mode. | ||
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 |
aaa
authorization
network
list-name
method1
[method2...]
Example: Router(config)# aaa authorization network mymethodlist group VPDN-Group |
Sets parameters that restrict user access to a network.
| ||
Step 4 |
vpdn
tunnel
authorization
network
lmethod-ist-name
method1
[method2...]
Example: Router(config)# vpdn tunnel authorization network mymethodlist |
Specifies the AAA method list to use for VPDN remote tunnel hostname-based authorization. | ||
Step 5 |
vpdn
tunnel
authorization
virtual-template
vtemplate-number
Example: Router(config)# vpdn tunnel authorization virtual-template 10 |
Specifies the default virtual template interface used to clone a VAI. | ||
Step 6 |
vpdn
tunnel
authorization
password
dummy-password
Example: Router(config)# vpdn tunnel authorization password mypassword |
Specifies the password to use for the RADIUS authorization request to retrieve the tunnel configuration based on the remote tunnel hostname. | ||
Step 7 |
debug
aaa
authorization
Example: Router# debug aaa authorization |
Displays information on AAA authorization. |
Configuring the LNS for RADIUS Tunnel Authentication
Perform the following tasks to configure LNS for RADIUS Tunnel Authentication:
Note | Cisco ASR 1000 Series Aggregation Services Routers supports L2TP tunnel authorization. However, RADIUS does not provide attributes for such parameter values as L2TP tunnel timeouts, L2TP tunnel hello intervals, and L2TP tunnel receive window size. When the Cisco ASR 1000 Series Aggregation Services Router does not receive a RADIUS attribute for a parameter, the router uses the default value. |
Configuring RADIUS Tunnel Authentication Method Lists on the LNS
To configure method lists on the LNS for RADIUS tunnel authentication, perform the following task.
1.
enable
2.
configure
terminal
3.
aaa
authorization
network
list-name
method1
[method2...]
4.
vpdn
tunnel
authorization
network
method-
list-name
5.
vpdn
tunnel
authorization
virtual-template
vtemplate-number
6.
vpdn
tunnel
authorization
password
dummy-password
7.
end
8.
debug
aaa
authorization
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enters privileged EXEC mode. | ||
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 |
aaa
authorization
network
list-name
method1
[method2...]
Example: Router(config)# aaa authorization network mymethodlist group VPDN-Group |
Sets parameters that restrict user access to a network
| ||
Step 4 |
vpdn
tunnel
authorization
network
method-
list-name
Example: Router(config)# vpdn tunnel authorization network mymethodlist |
Specifies the AAA method list to use for VPDN remote tunnel hostname-based authorization. | ||
Step 5 |
vpdn
tunnel
authorization
virtual-template
vtemplate-number
Example: Router(config)# vpdn tunnel authorization virtual-template 10 |
Specifies the default virtual template interface used to clone a VAI.
| ||
Step 6 |
vpdn
tunnel
authorization
password
dummy-password
Example: Router(config)# vpdn tunnel authorization password mypassword |
Specifies the password to use for the RADIUS authorization request to retrieve the tunnel configuration based on the remote tunnel hostname.
| ||
Step 7 |
end
Example: Router(config)# end |
Exits global configuration mode and returns to privileged EXEC mode. | ||
Step 8 |
debug
aaa
authorization
Example: Router# debug aaa authorization |
Displays information on AAA authorization. |
Configuring AAA Authentication Methods
1.
enable
2.
configure
terminal
3.
aaa
new-model
4. Configure RADIUS security protocol parameters. For more information about RADIUS, see the “Configuring RADIUS” chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services .
5.
aaa
authentication
6. Apply the authentication method lists to an interface, a line, or a set of lines as required. For more information about authentication method lists, see the “Configuring Authentication” chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services .
7.
end
DETAILED STEPS
Step 1 |
enable
|
Step 2 |
configure
terminal
|
Step 3 |
aaa
new-model
Enter this command in global configuration mode to enable AAA. |
Step 4 | Configure RADIUS security protocol parameters. For more information about RADIUS, see the “Configuring RADIUS” chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services . |
Step 5 |
aaa
authentication
Enter this command to define the authentication method lists. |
Step 6 | Apply the authentication method lists to an interface, a line, or a set of lines as required. For more information about authentication method lists, see the “Configuring Authentication” chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services . |
Step 7 |
end
|
Configuration Examples for the Managed IPv6 Layer 2 Tunnel Protocol Network Server
- Example Managed IPv6 LNS Configuration
- Example LNS Tunnel Accounting Configuration
- Example Verifying the User Profile on the RADIUS Server
Example Managed IPv6 LNS Configuration
The following example shows how to configure Managed IPv6 LNS features on the router. In this example, the router terminates the tunnel from the LAC and associates the VRFs with the interfaces and the virtual template interfaces. This configuration also shows how to configure RADIUS attribute screening and AAA accounting for the VRFs.
! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition user_vrf1 rd 1:1 route-target export 1:1 route-target import 1:1 ! address-family ipv6 exit-address-family ! logging buffered 10000000 enable password lab ! aaa new-model ! ! aaa group server radius radius_authen1 server-private 10.1.1.2 acct-port 0 timeout 7 retransmit 3 key cisco1 ip radius source-interface Loopback20000 ! aaa authentication login default none aaa authentication ppp default group radius_authen1 aaa authorization network default group radius_authen1 aaa authorization configuration DHCPv6-PD group radius_authen1 ! ! ! ! ! aaa session-id common aaa policy interface-config allow-subinterface ppp hold-queue 80000 clock timezone EST -5 0 ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! no ip domain lookup ip host mcp-matrix 10.0.0.2 ip host mcp-sun-2 10.0.0.2 ! ! ipv6 unicast-routing ipv6 dhcp binding track ppp ipv6 dhcp pool ipv6_dhcp_pool1 prefix-delegation aaa method-list DHCPv6-PD ! ! ! ! multilink bundle-name authenticated vpdn enable ! vpdn-group VPDN_LNS1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname test_LAC1 source-ip 10.0.0.2 local name test_LNS1 l2tp tunnel password 0 tunnel1 l2tp tunnel receive-window 100 l2tp tunnel timeout no-session 30 l2tp tunnel retransmit retries 7 l2tp tunnel retransmit timeout min 2 ! ! no virtual-template snmp ! ! ! ! ! ! ! ! ! username asifp1@test1 password 0 hello1 ! redundancy notification-timer 30000 mode none ! ! ! ! ! ip tftp source-interface GigabitEthernet 0 ! ! ! ! ! ! ! ! interface Loopback1 no ip address ! interface Loopback20000 ip address 209.165.202.131 255.255.255.224 ! interface GigabitEthernet1/1/0 mac-address 8888.8888.8888 no ip address load-interval 30 negotiation auto hold-queue 4096 in hold-queue 4096 out ! interface GigabitEthernet1/1/0.1 encapsulation dot1Q 3 ip address 209.165.202.132 255.255.255.224 ! interface GigabitEthernet1/1/1 mac-address 4444.4444.4444 no ip address load-interval 30 no negotiation auto hold-queue 4096 in hold-queue 4096 out ! interface GigabitEthernet1/1/1.1 vrf forwarding user_vrf1 encapsulation dot1Q 2 ipv6 address 12::1/72 ! interface GigabitEthernet1/1/2 no ip address negotiation auto ! interface GigabitEthernet1/1/3 no ip address negotiation auto ! interface GigabitEthernet1/1/4 no ip address negotiation auto ! interface GigabitEthernet1/1/5 no ip address negotiation auto ! interface GigabitEthernet1/1/6 no ip address negotiation auto ! interface GigabitEthernet1/1/7 description Connected to RADIUS ip address 209.165.201.1 255.255.255.224 negotiation auto ! interface GigabitEthernet1/3/0 no ip address media-type sfp negotiation auto ! interface GigabitEthernet1/3/1 no ip address media-type sfp negotiation auto ! interface GigabitEthernet 0 vrf forwarding Mgmt-intf ip address 209.165.201.1 255.255.255.224 negotiation auto ! interface Virtual-Template 1 no ip address no logging event link-status ipv6 dhcp server ipv6_dhcp_pool1 rapid-commit keepalive 30 ppp mtu adaptive ppp authentication pap ! ip default-gateway 10.1.0.5 ip forward-protocol nd ! no ip http server no ip http secure-server ip route vrf Mgmt-intf 209.165.201.1 255.255.255.254 172.16.1.1 ip route vrf Mgmt-intf 209.165.201.29 255.255.255.224 172.16.0.1 ! ip radius source-interface GigabitEthernet1/1/7 logging esm config cdp run ipv6 route vrf user_vrf1 ::/0 12::2 ! ipv6 neighbor 12::2 GigabitEthernet1/1/1.1 2222.2222.2222 ! ! ! control-plane ! call admission limit 90 ! ! ! alias exec call show caller summ alias exec caller show caller summ alias exec palt show plat alias exec plat show platform alias exec evsi sho plat hard cpp act feat ess stat ! line con 0 exec-timeout 0 0 stopbits 1 line vty 0 4 exec-timeout 0 0 password password1 ! exception data-corruption buffer truncate end
Example LNS Tunnel Accounting Configuration
The following example shows how to configure the LNS to send tunnel accounting records to the RADIUS server:
aaa new-model ! ! aaa accounting network m1 start-stop group radius aaa accounting network m2 stop-only group radius aaa session-id common enable secret 5 $1$ftf.$wE6Q5Yv6hmQiwL9pizPCg1 ! username ENT_LNS password 0 tunnelpass username user1@example.com password 0 lab username user2@example.com password 0 lab spe 1/0 1/7 firmware location system:/ucode/mica_port_firmware spe 2/0 2/9 firmware location system:/ucode/mica_port_firmware ! ! resource-pool disable clock timezone est 2 ! ip subnet-zero no ip domain-lookup ip host CALLGEN-SECURITY-V2 10.24.80.28 10.47.0.0 ip host dirt 172.16.1.129 ! vpdn enable vpdn tunnel accounting network m1 vpdn session accounting network m1 ! vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname ISP_LAC local name ENT_LNS ! isdn switch-type primary-5ess ! ! fax interface-type modem mta receive maximum-recipients 0 ! interface Loopback 0 ip address 172.16.0.101 255.255.255.0 ! interface Loopback 1 ip address 192.168.0.101 255.255.255.0 ! interface Ethernet 0 ip address 10.1.26.71 255.255.255.0 no ip mroute-cache no cdp enable ! interface virtual-template 1 ip unnumbered Loopback 0 peer default ip address pool vpdn-pool1 ppp authentication chap ! interface virtual-template 2 ip unnumbered Loopback1 peer default ip address pool vpdn-pool2 ppp authentication chap ! interface fastethernet 0 no ip address no ip mroute-cache shutdown duplex auto speed auto no cdp enable ! ip local pool vpdn-pool1 172.16.5.1 172.16.128.100 ip local pool vpdn-pool2 10.0.0.1 10.0.0.100 ip default-gateway 10.1.26.254 ip classless ip route 0.0.0.0 0.0.0.0 10.1.26.254 ip route 192.168.1.2 255.255.255.255 10.1.26.254 no ip http server ip pim bidir-enable ! ! dialer-list 1 protocol ip permit no cdp run ! ! radius-server host 172.16.192.80 auth-port 1645 acct-port 1646 key rad123 radius-server retransmit 3 call rsvp-sync end
Note | For additional accounting examples, see the “Configuring Accounting” chapter in the Cisco IOS XE Security: Secure Services Configuration Guide . |
Example Verifying the User Profile on the RADIUS Server
The following is an example user profile on the RADIUS server. The Cisco ASR 1000 Series Aggregation Services Routers retrieves the information in the user profile from the RADIUS server.
Radius Profile "user1" Auth-Type = Local, User-Password = "pwd" User-Service-Type = Framed-User Framed-Protocol = PPP cisco-avpair = "lcp:interface-config=vrf forwarding VRF01" cisco-avpair = "lcp:interface-config=ipv6 unnumbered loopback1" Framed-IPv6-Prefix = "2001:DB8:4567:1234::/64" Delegated-IPv6-Prefix = "2001:DB8:AAAA::/48"
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Cisco IOS XE MPLS commands |
Cisco IOS MPLS Command Reference |
Authentication, authorization and accounting |
Authentication, Authorization, and Accounting (AAA) |
Configuring RADIUS |
Configuring RADIUS |
Configuring accounting |
Configuring Accounting |
RADIUS attributes |
“RADIUS Attributes Overview and RADIUS IETF Attributes” module in the Cisco IOS XE Security Configuration Guide: Securing User Services |
Standards
Standard |
Title |
---|---|
No new or modified standards are supported, and support for existing standards has not been modified. |
— |
MIBs
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported, and support for existing MIBs has not been modified. |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
RFC 2867 |
RADIUS Accounting Modifications for Tunnel Protocol Support |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Configuring Managed IPv6 Layer 2 Tunnel Protocol Network Server
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Managed IPv6 Layer 2 Tunnel Protocol Network Server |
Cisco IOS XE Release 3.3S |
The Managed IPv6 LNS feature allows the service provider to offer a scalable end-to-end VPN of both IPv4 and IPv6 service to remote users. This feature integrates the Multiprotocol Label Switching (MPLS)-enabled backbone with broadband access capabilities. The following commands were introduced or modified: atm pppatm passive, radius-server attribute list, radius-server key, radius-server retransmit, radius-server vsa send. |
Managed IPv6 Layer 2 Tunnel Protocol Network Server - VRF-Lite only |
Cisco IOS XE Release 3.3S |
The Managed IPv6 LNS feature allows the service provider to offer a scalable end-to-end VPN of both IPv4 and IPv6 service to remote users. This feature integrates the VRF-Lite enabled backbone with broadband access capabilities. |
Managed IPv6 Layer 2 Tunnel Protocol Network Server - MPLS VPN |
Cisco IOS XE Release 3.7S |
The Managed IPv6 LNS feature allows the service provider to offer a scalable end-to-end VPN of both IPv4 and IPv6 service to remote users. This feature integrates the MPLS enabled backbone with broadband access capabilities. |