RADIUS Tunnel Attribute Extensions
First Published: November 27, 2000
Last Updated: October 6, 2009
The RADIUS Tunnel Attribute Extensions feature allows a name to be specified (other than the default) for the tunnel initiator and the tunnel terminator in order to establish a higher level of security when setting up VPN tunneling.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for RADIUS Tunnel Attribute Extensions" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•Prerequisites for RADIUS Tunnel Attribute Extensions
•Restrictions for RADIUS Tunnel Attribute Extensions
•Information About RADIUS Tunnel Attribute Extensions
•How to Verify RADIUS Attribute 90 and RADIUS Attribute 91
•Configuration Examples for RADIUS Tunnel Attribute Extensions
•Additional References
•Feature Information for RADIUS Tunnel Attribute Extensions
•Glossary
Prerequisites for RADIUS Tunnel Attribute Extensions
To use RADIUS attributes 90 and 91, you must complete the following tasks:
•Configure your NAS to support AAA.
•Configure your NAS to support RADIUS.
•Configure your NAS to support VPN.
Restrictions for RADIUS Tunnel Attribute Extensions
Your RADIUS server must support tagged attributes to use RADIUS tunnel attributes 90 and 91.
Information About RADIUS Tunnel Attribute Extensions
The RADIUS Tunnel Attribute Extensions feature introduces RADIUS attribute 90 (Tunnel-Client-Auth-ID) and RADIUS attribute 91 (Tunnel-Server-Auth-ID). Both attributes help support the provision of compulsory tunneling in virtual private networks (VPNs) by allowing the user to specify authentication names for the network access server (NAS) and the RADIUS server.
How RADIUS Tunnel Attribute Extensions Work
Once a NAS has set up communication with a RADIUS server, you can enable a tunneling protocol. Some applications of tunneling protocols are voluntary, but others involve compulsory tunneling; that is, a tunnel is created without any action from the user and without allowing the user any choice in the matter. In those cases, new RADIUS attributes are needed to carry the tunneling information from the NAS to the RADIUS server to establish authentication. These new RADIUS attributes are listed in Table 1.
Note In compulsory tunneling, any security measures in place apply only to traffic between the tunnel endpoints. Encryption or integrity protection of tunneled traffic must not be considered as a replacement for end-to-end security.
Table 1 RADIUS Tunnel Attributes
|
IETF RADIUS Tunnel Attribute
|
Equivalent TACACS+ Attribute
|
|
|
90 |
Tunnel-Client-Auth-ID |
tunnel-id |
•Layer 2 Forwarding (L2F) •Layer 2 Tunneling Protocol (L2TP) |
Specifies the name used by the tunnel initiator (also known as the NAS1 ) when authenticating tunnel setup with the tunnel terminator. |
91 |
Tunnel-Server-Auth-ID |
gw-name |
•Layer 2 Forwarding (L2F) •Layer 2 Tunneling Protocol (L2TP) |
Specifies the name used by the tunnel terminator (also known as the Home Gateway2 ) when authenticating tunnel setup with the tunnel initiator. |
RADIUS attribute 90 and RADIUS attribute 91 are included in the following situations:
•If the RADIUS server accepts the request and the desired authentication name is different from the default, they must be included it.
•If an accounting request contains Acct-Status-Type attributes with values of either start or stop and pertains to a tunneled session, they should be included in.
How to Verify RADIUS Attribute 90 and RADIUS Attribute 91
To verify that RADIUS attribute 90 and RADIUS attribute 91 are being sent in access accepts and accounting requests, use the following command in privileged EXEC mode:
|
|
Router# debug radius |
Displays information associated with RADIUS. The output of this command shows whether attribute 90 and attribute 91 are being sent in access accepts and accounting requests. |
Configuration Examples for RADIUS Tunnel Attribute Extensions
This section provides the following configuration examples:
•L2TP Network Server (LNS) Configuration: Example
•RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91: Example
L2TP Network Server (LNS) Configuration: Example
The following example shows how to configure the LNS with a basic L2F and L2TP configuration using RADIUS tunneling attributes 90 and 91:
aaa authentication login default none
aaa authentication login console none
aaa authentication ppp default local group radius
aaa authorization network default group radius if-authenticated
username l2f-cli-auth-id password 0 l2f-cli-pass
username l2f-svr-auth-id password 0 l2f-svr-pass
username l2tp-svr-auth-id password 0 l2tp-tnl-pass
terminate-from hostname l2f-cli-auth-id
local name l2f-svr-auth-id
terminate-from hostname l2tp-cli-auth-id
local name l2tp-svr-auth-id
ip address 10.0.0.3 255.255.255.0
interface Virtual-Template1
ip unnumbered Ethernet1/0
interface Virtual-Template2
ip unnumbered Ethernet1/0
radius-server host 1.1.1.1 auth-port 1645 acct-port 1646
radius-server key <deleted>
RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91: Example
The following is an example of a RADIUS user profile that includes RADIUS tunneling attributes 90 and 91. This entry supports two tunnels, one for L2F and the other for L2TP. The tag entries with :1 support L2F tunnels, and the tag entries with :2 support L2TP tunnels.
cisco.com Password = "cisco", Service-Type = Outbound
Tunnel-Medium-Type = :1:IP,
Tunnel-Client-Endpoint = :1:"10.0.0.2",
Tunnel-Server-Endpoint = :1:"10.0.0.3",
Tunnel-Client-Auth-Id = :1:"l2f-cli-auth-id",
Tunnel-Server-Auth-Id = :1:"l2f-svr-auth-id",
Tunnel-Assignment-Id = :1:"l2f-assignment-id",
Cisco-Avpair = "vpdn:nas-password=l2f-cli-pass",
Cisco-Avpair = "vpdn:gw-password=l2f-svr-pass",
Tunnel-Preference = :1:1,
Tunnel-Medium-Type = :2:IP,
Tunnel-Client-Endpoint = :2:"10.0.0.2",
Tunnel-Server-Endpoint = :2:"10.0.0.3",
Tunnel-Client-Auth-Id = :2:"l2tp-cli-auth-id",
Tunnel-Server-Auth-Id = :2:"l2tp-svr-auth-id",
Tunnel-Assignment-Id = :2:"l2tp-assignment-id",
Cisco-Avpair = "vpdn:l2tp-tunnel-password=l2tp-tnl-pass",
Additional References
The following sections provide references related to RADIUS Tunnel Attribute Extensions.
Related Documents
Standards
MIBs
|
|
None. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
RFCs
|
|
RFC 2868 |
RADIUS Attributes for Tunnel Protocol Support |
Technical Assistance
|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Feature Information for RADIUS Tunnel Attribute Extensions
Table 2 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 2 Feature Information for RADIUS Tunnel Attribute Extensions
|
|
|
Feature Information for RADIUS Tunnel Attribute Extensions |
12.1(5)T 12.2(4)B3 12.2(13)T |
The RADIUS Tunnel Attribute Extensions feature allows a name to be specified (other than the default) for the tunnel initiator and the tunnel terminator in order to establish a higher level of security when setting up VPN tunneling. This feature was introduced in Cisco IOS Release 12.1(5)T. This feature was integrated into Cisco IOS Release 12.2(4)B3. This feature was integrated into Cisco IOS Release 12.2(13)T. |
Glossary
Layer 2 Forwarding (L2F)—A Layer 2 tunneling protocol that enables an ISP or other access service to create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels.
Layer 2 Tunnel Protocol (L2TP)—A Layer 2 tunneling protocol that enables an ISP or other access service to create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels.
L2TP access concentrator (LAC)—A network access server (NAS) to which the client directly connects and through which PPP frames are tunneled to the L2TP network server (LNS). The LAC need only implement the media over which L2TP is to operate to pass traffic to one or more LNSs. The LAC may tunnel any protocol carried within PPP. The LAC initiates incoming calls and receives outgoing calls. A LAC is analogous to an L2F network access server.
L2TP network server (LNS)—A termination point for L2TP tunnels, and an access point where PPP frames are processed and passed to higher-layer protocols. An LNS can operate on any platform that terminates PPP. The LNS handles the server side of the L2TP protocol. L2TP relies only on the single medium over which L2TP tunnels arrive. The LNS initiates outgoing calls and receives incoming calls. An LNS is analogous to a home gateway in L2F technology.
network access server (NAS)—A Cisco platform, or collection of platforms, such as an AccessPath system, that interfaces between the packet world (such as the Internet) and the circuit-switched world (such as the PSTN).
tunnel—A virtual pipe between the L2TP access concentrator (LAC) and L2TP network server (LNS) that can carry multiple PPP sessions.
virtual private network (VPN)—A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the L2TP network server (LNS) instead of the L2TP access concentrator (LAC).
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2000-2009 Cisco Systems, Inc. All rights reserved.