- Read Me First
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor-Specific Attributes
- RADIUS Attribute 8 Framed-IP-Address in Access Requests
- RADIUS Attribute 82 Tunnel Assignment ID
- RADIUS Tunnel Attribute Extensions
- RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
- RADIUS Attribute Value Screening
- RADIUS Attribute 55 Event-Timestamp
- RADIUS Attribute 104
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
- Finding Feature Information
- Prerequisites
- Restrictions
- Information About RADIUS Tunnel Attribute Extensions
- How to Configure RADIUS Tunnel Attribute Extensions
- Configuration Examples for RADIUS Tunnel Attribute Extensions
- Additional References
- Feature Information for RADIUS Tunnel Attribute Extensions
- Glossary
RADIUS Tunnel Attribute Extensions
The RADIUS Tunnel Attribute Extensions feature introduces RADIUS attribute 90 (Tunnel-Client-Auth-ID) and RADIUS attribute 91 (Tunnel-Server-Auth-ID). Both attributes help support the provision of compulsory tunneling in virtual private networks (VPNs) by allowing the user to specify authentication names for the network access server (NAS) and the RADIUS server.
- Finding Feature Information
- Prerequisites
- Restrictions
- Information About RADIUS Tunnel Attribute Extensions
- How to Configure RADIUS Tunnel Attribute Extensions
- Configuration Examples for RADIUS Tunnel Attribute Extensions
- Additional References
- Feature Information for RADIUS Tunnel Attribute Extensions
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites
To use RADIUS attributes 90 and 91, you must complete the following tasks:
Configure your NAS to support AAA.
Configure your NAS to support RADIUS.
Configure your NAS to support VPN.
Restrictions
Your RADIUS server must support tagged attributes to use RADIUS tunnel attributes 90 and 91.
Information About RADIUS Tunnel Attribute Extensions
RADIUS Tunnel Attribute Extension Benefits
The RADIUS Tunnel Attribute Extensions feature allows you to specify a name (other than the default) of the tunnel initiator and the tunnel terminator. Thus, you can establish a higher level of security when setting up VPN tunneling.
RADIUS Tunnel Attribute Extension Description
Once a NAS has set up communication with a RADIUS server, you can enable a tunneling protocol. Some applications of tunneling protocols are voluntary, but others involve compulsory tunneling; that is, a tunnel is created without any action from the user and without allowing the user any choice in the matter. In those cases, new RADIUS attributes are needed to carry the tunneling information from the NAS to the RADIUS server to establish authentication. These new RADIUS attributes are listed in the table below.
Note | In compulsory tunneling, any security measures in place apply only to traffic between the tunnel endpoints. Encryption or integrity protection of tunneled traffic must not be considered as a replacement for end-to-end security. |
Number |
IETF RADIUS Tunnel Attribute |
Equivalent TACACS+ Attribute |
Supported Protocols |
Description |
---|---|---|---|---|
90 |
Tunnel-Client-Auth-ID |
tunnel-id |
Layer 2 Tunneling Protocol (L2TP) |
Specifies the name used by the tunnel initiator (also known as the NAS1) when authenticating tunnel setup with the tunnel terminator. |
91 |
Tunnel-Server-Auth-ID |
gw-name |
Layer 2 Tunneling Protocol (L2TP) |
Specifies the name used by the tunnel terminator (also known as the Home Gateway2) when authenticating tunnel setup with the tunnel initiator. |
RADIUS attribute 90 and RADIUS attribute 91 are included in the following situations:
If the RADIUS server accepts the request and the desired authentication name is different from the default, they must be included it.
If an accounting request contains Acct-Status-Type attributes with values of either start or stop and pertains to a tunneled session, they should be included in.
How to Configure RADIUS Tunnel Attribute Extensions
There are no configuration tasks associated with this feature.
Verifying RADIUS Attribute 90 and RADIUS Attribute 91
To verify that RADIUS attribute 90 and RADIUS attribute 91 are being sent in access accepts and accounting requests, use the following command in privileged EXEC mode:
Command |
Purpose |
---|---|
Router# debug radius
|
Displays information associated with RADIUS. The output of this command shows whether attribute 90 and attribute 91 are being sent in access accepts and accounting requests. |
Configuration Examples for RADIUS Tunnel Attribute Extensions
- L2TP Network Server Configuration Example
- RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91 Example
L2TP Network Server Configuration Example
The following example shows how to configure the LNS with a basic L2F and L2TP configuration using RADIUS tunneling attributes 90 and 91:
aaa new-model aaa authentication login default none aaa authentication login console none aaa authentication ppp default local group radius aaa authorization network default group radius if-authenticated ! username l2tp-svr-auth-id password 0 l2tp-tnl-pass ! vpdn enable vpdn search-order domain ! vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname l2tp-cli-auth-id local name l2tp-svr-auth-id ! interface loopback0 ip address 10.0.0.3 255.255.255.0 no ip route-cache no ip mroute-cache ! interface Virtual-Template1 ip unnumbered loopback0 ppp authentication pap ! radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 radius-server key <deleted> !
RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91 Example
The following is an example of a RADIUS user profile that includes RADIUS tunneling attributes 90 and 91 for an L2TP tunnel.
cisco.com Password = "cisco", Service-Type = Outbound Service-Type = Outbound, Tunnel-Type = :1:L2TP, Tunnel-Medium-Type = :1:IP, Tunnel-Client-Endpoint = :1:"10.0.0.2", Tunnel-Server-Endpoint = :1:"10.0.0.3", Tunnel-Client-Auth-Id = :1:"l2tp-cli-auth-id", Tunnel-Server-Auth-Id = :1:"l2tp-svr-auth-id", Tunnel-Assignment-Id = :1:"l2tp-assignment-id", Cisco-Avpair = "vpdn:l2tp-tunnel-password=l2tp-tnl-pass", Tunnel-Preference = :1:1
Additional References
The following sections provide references related to the RADIUS Tunnel Attribute Extensions feature.
Related Documents
Related Topic |
Document Title |
---|---|
Authentication configuration |
“Configuring Authentication” in the Cisco IOS XE Security Configuration Guide: Configuring User Services , Release 2 |
RADIUS configuration |
“Configuring RADIUS” in the Cisco IOS XE Security Configuration Guide: Configuring User Services , Release 2 |
Overview of RADIUS attributes |
“RADIUS Attributes Overview and RADIUS IETF Attributes” in the Cisco IOS XE Security Configuration Guide: Configuring User Services , Release 2 |
Security commands |
Cisco IOS Security Command Reference |
Standards
Standard |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
RFC 2868 |
RADIUS Attributes for Tunnel Protocol Support |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for RADIUS Tunnel Attribute Extensions
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
RADIUS Tunnel Attribute Extensions |
Cisco IOS XE Release 2.1 |
The RADIUS Tunnel Attribute Extensions feature introduces RADIUS attribute 90 (Tunnel-Client-Auth-ID) and RADIUS attribute 91 (Tunnel-Server-Auth-ID). Both attributes help support the provision of compulsory tunneling in virtual private networks (VPNs) by allowing the user to specify authentication names for the network access server (NAS) and the RADIUS server. In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. |
Glossary
Layer 2 Tunnel Protocol (L2TP) -- A Layer 2 tunneling protocol that enables an ISP or other access service to create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels.
L2TP access concentrator (LAC) --A network access server (NAS) to which the client directly connects and through which PPP frames are tunneled to the L2TP network server (LNS). The LAC need only implement the media over which L2TP is to operate to pass traffic to one or more LNSs. The LAC may tunnel any protocol carried within PPP. The LAC initiates incoming calls and receives outgoing calls. A LAC is analogous to an L2F network access server.
L2TP network server (LNS) --A termination point for L2TP tunnels, and an access point where PPP frames are processed and passed to higher-layer protocols. An LNS can operate on any platform that terminates PPP. The LNS handles the server side of the L2TP protocol. L2TP relies only on the single medium over which L2TP tunnels arrive. The LNS initiates outgoing calls and receives incoming calls. An LNS is analogous to a home gateway in L2F technology.
network access server (NAS) --A Cisco platform, or collection of platforms, such as an AccessPath system, that interfaces between the packet world (such as the Internet) and the circuit-switched world (such as the PSTN).
tunnel--A virtual pipe between the L2TP access concentrator (LAC) and L2TP network server (LNS) that can carry multiple PPP sessions.
virtual private network (VPN)--A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the L2TP network server (LNS) instead of the L2TP access concentrator (LAC).