Table Of Contents
RADIUS Authentication and Accounting
Session-Timeout and Idle-Timeout RADIUS Attributes
Concurrent or Sequential Service Access Mode
Enhanced High System Availability
Web Selection of L2TP Service Type
Supported Standards, MIBs, and RFCs
Configuring Local Service Profiles
Verifying Local Service Profiles
Enabling SSG User-Profile Caching
Verifying SSG User-Profile Caching
Configuring RADIUS Interim Accounting
Configuring Cisco Express Forwarding
Verifying Cisco Express Forwarding
Configuring Cisco IOS Network Address Translation
Verifying Cisco IOS Network Address Translation
Configuring VPI/VCI Indexing to Service Profile
Verifying VPI/VCI Indexing to Service Profile
Monitoring VPI/VCI Indexing to Service Profile
Configuring SSG to Support L2TP Service Type
Configuring RADIUS Profiles for SSG Support of L2TP
SSG Vendor-Specific Attributes
Downstream Access Control List
Downstream Access Control List
Transparent Pass-Through Filter Pseudo-Service Profile
Next-Hop Gateway Pseudo-Service Profile
Attributes Used in Accounting Records
Monitoring and Maintaining SSG
Transparent Pass-Through Filter Example
RADIUS Interim Accounting Example
Service-Name-to-Tunnel Mapping Example
RADIUS Service Profile Example
Service-Name-to-VC Mapping Example
New and Changed SSG Functionality in Cisco IOS Release 12.2(4)B and Later Releases
Service Selection Gateway
Feature History
This document describes the Service Selection Gateway feature in Cisco IOS Releases 12.2(4)B and 12.2(8)T. If you are running Cisco IOS Release 12.2(15)B, 12.3(4)T or a later release, please refer to the "Service Selection Gateway" new-feature document that is specific to your release.
This document contains the following sections:
•
Supported Standards, MIBs, and RFCs
•
•
Note
Feature Overview
Service Selection Gateway (SSG) is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as digital subscriber lines (DSL), cable modems, or wireless to allow simultaneous access to network services.
SSG works in conjunction with the Cisco Service Selection Dashboard (SSD) or its successor product, the Cisco Subscriber Edge Services Manager (SESM). Together with the SESM or SSD, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with an SESM or SSD web application using a standard Internet browser.
The SESM operates in two modes:
•
•
This document provides information on general SSG configuration that applies to the SESM in both LDAP mode and RADIUS mode. It also provides RADIUS-specific configuration information that applies only to the SESM in RADIUS mode or the SSD.
If your deployment uses the SESM in LDAP mode, refer to these documents for additional information about LDAP-mode topics:
•
•
Note
In the remainder of this document, all references to the SESM also apply to the SSD unless a clear distinction is made.Figure 1 is a diagram of a sample network topology including SSG. This is an end-to-end, service-oriented DSL deployment consisting of digital subscriber line access multiplexers (DSLAMs), asymmetric digital subscriber line (ADSL) modems, and other internetworking components and servers. SSG resides in a router that is serving as a broadband aggregator. The broadband aggregator acts as a central control point for Layer 2 and Layer 3 services, including services available through ATM virtual circuits (VCs), virtual private dial-up networks (VPDNs), and normal routing methods.
Figure 1 SSG Connection Between ADSL Equipment and Network Services
SSG communicates with the authentication, authorization, and accounting (AAA) management network where RADIUS, Dynamic Host Configuration Protocol (DHCP), and Simple Network Management Protocol (SNMP) servers reside and with the Internet service provider (ISP) network, which may connect to the Internet, corporate networks, and value-added services.
A licensed version of SSG works with SESM to present to subscribers a menu of network services that can be selected from a single graphical user interface (GUI). This functionality improves flexibility and convenience for subscribers and enables service providers to bill subscribers for connect time and services used, rather than charging a flat rate.
When SSG is used with the SESM, the user opens an HTML browser and accesses the URL of the SESM web server application. The SESM forwards the user login information to SSG, which forwards the information either to the AAA server, for the SSD or SESM in RADIUS mode, or to the RADIUS-DESS Proxy (RDP) component of the SESM, for the SESM in LDAP mode.
•
•
Based on the contents of the Access-Accept response, the SESM presents a menu of services that the user is authorized to use, and the user selects one or more of the services. SSG then creates an appropriate connection for the user and optionally starts RADIUS accounting for the connection.
Note that when a non-PPP user, such as in a bridged-networking environment, disconnects from a service without logging out, the connection remains open and the user can reaccess the service without going through the login procedure. This is because no direct connection (PPP) exists between the subscribers and SSG. To prevent non-PPP users from being logged in to services indefinitely, be sure to configure the Session-Timeout and/or Idle-Timeout RADIUS attributes.
SSG supports the features and functionality described in the following sections:
•
•
•
•
•
•
Web-Based Interface
SSG works with the Cisco SESM. The SESM is a specialized web server that allows users to log in to and disconnect from multiple pass-through and proxy services through a standard web browser.
After the user opens a web browser, SSG allows access to a single IP address or subnet, referred to as the default network. This is typically the IP address of the SESM. The SESM prompts the user for a username and password. After the user is authenticated, the SESM presents a list of available services.
The SESM provides all the functionality of its predecessor product, the SSD. The SESM also introduces the following functionality:
•
–
–
–
•
–
–
RADIUS Authentication and Accounting
SSG is designed to work with RADIUS-based AAA servers that accept vendor-specific attributes (VSAs).
LDAP Directory
SSG using the SESM in LDAP mode can use an LDAP directory as the data repository for service, subscriber, and policy information.
Multiple Traffic-Type Support
SSG supports the following types of service:
•
SSG can forward traffic through any interface by means of normal routing or a next-hop table. Because Network Address Translation (NAT) is not performed for this type of traffic, overhead is reduced. Pass-through service is ideal for standard Internet access.
•
When a subscriber requests access to a proxy service, SSG proxies the Access-Request packet to the remote AAA server. Upon receiving an Access-Accept packet from the remote RADIUS server, the SSG logs the subscriber in. To the remote AAA server, SSG appears as a client.
Iif the RADIUS server assigns an IP address to the subscriber during remote authentication, SSG performs NAT between the assigned IP address and the real IP address of the subscriber. If the remote RADIUS server does not assign an IP address, NAT is not performed.
When a user selects a proxy service, there is another prompt for username and password. After authentication, the service is accessible until the user logs out from the service, logs out from the SESM, or times out.
•
When enabled, transparent pass-through allows unauthenticated subscriber traffic to be routed through SSG in either direction. Filters can be specified to control transparent pass-through traffic. These are some of the applications for this feature:
–
–
–
•
PPP Termination Aggregation (PTA) can be used only by PPP-type users. AAA is performed exactly as in the proxy service type. A subscriber logs in to a service by using a PPP dialer application with a username of the form `user@service'. SSG recognizes `@service' as a service profile and loads the service profile from the local configuration or a AAA server. SSG forwards the AAA request to the remote RADIUS server as specified by the RADIUS-Server attribute of the service profile. An address is assigned to the subscriber through RADIUS attribute 8 or Cisco-AVpair "ip:addr-pool." NAT is not performed, and all user traffic is aggregated to the remote network. With PTA, users can access only one service. Users do not have access to the default network or the SESM.
Whereas PTA terminates the PPP session into a single routing domain, PTA-MD terminates the PPP sessions into multiple IP routing domains, thus supporting a wholesale Virtual Private Network (VPN) model in which each domain is isolated from the other by an ATM core and has the capability to support overlapping IP addresses.
Packet Filtering
SSG uses Cisco IOS access control lists (ACLs) to prevent users, services, and pass-through traffic from accessing specific IP addresses and ports.
•
When an ACL attribute is added to a service profile, all users of that service are prevented from accessing the specified IP address, subnet mask, and port combinations through the service.
•
When an ACL attribute is added to a user profile, it applies globally to all traffic for the user.
•
Upstream and downstream attributes, including the Upstream Access Control List and Downstream Access Control List attributes, can be added to a special pseudo-service profile that can be downloaded to SSG from a RADIUS server. Additionally, locally configured ACLs can be used. After the ACLs have been defined, they are applied to all traffic passed by the transparent pass-through feature.
Service Access Order
When users are accessing multiple services, SSG must determine the services for which the packets are destined. To do this, SSG uses an algorithm to create a service access order list that is stored in the user's host object. This list contains services that are currently open and the order in which they are to be searched. The algorithm that creates this list orders the open services based on the closest matching network address.
Next-Hop Gateway
The Next-Hop Gateway attribute is used to specify the next hop key for a service. Each SSG uses its own next-hop gateway table, which associates this key with an actual IP address.
Note that this attribute overrides the IP routing table for packets destined to a service.
DNS Redirection
When SSG receives a Domain Name Server (DNS) request, it performs domain name matching by using the Domain Name attribute from the service profiles of the currently logged-in services.
If a match is found, the request is redirected to the DNS server for the matched service.
If a match is not found and the user is logged in to a service that has Internet connectivity, the request is redirected to the first service in the user's service access order list that has Internet connectivity. Internet connectivity is defined as a service containing a Service Route attribute of 0.0.0.0/0.
If a match is not found and the user is not logged in to a service that has Internet connectivity, the request is forwarded to the DNS server defined in the client's TCP/IP stack.
Fault Tolerance for DNS
SSG can be configured to work with a single DNS server or with two servers in a fault-tolerant configuration. By means of an internal algorithm, DNS requests are switched to the secondary server if the primary server fails to respond with a DNS reply within a certain time limit.
Session-Timeout and Idle-Timeout RADIUS Attributes
In a dial-up networking or bridged (non-PPP) network environment, a user can disconnect from the NAS and release the IP address without logging out from SSG. If this happens, SSG continues to allow traffic to pass from that IP address, and this can be a problem if the IP address is obtained by another user.
SSG provides two mechanisms to prevent this problem from occurring:
•
•
The Session-Timeout and Idle-Timeout attributes can be used in either a user or service profile. In a user profile, the attribute applies to the user's session. In a service profile, the attribute applies individually to each service connection.
Concurrent or Sequential Service Access Mode
SSG services can be configured for concurrent or sequential access. Concurrent access allows users to log in to this service while simultaneously connected to other services. Sequential access requires that the user log out of all other services before accessing a service configured for sequential access.
Concurrent access is recommended for most services. Sequential access is ideal for services for which security is important, such as corporate intranet access, or for which there is a possibility of overlapping address space.
Enhanced High System Availability
SSG supports enhanced high system availability (EHSA) redundancy. You can configure this chassis redundancy at the slot level of the router for adjacent slot or subslot pairs. For example, if you have SSGs installed in slots 1 and 2, you can set a preferred device between the two. To ensure that configuration is consistent between redundant SSGs, you can configure automatic synchronization between the two SSGs. You can also manually force the primary and secondary devices in a redundant pair to switch roles.
Web Selection of L2TP Service Type
SSG supports Layer 2 Tunnel Protocol (L2TP). When a subscriber selects a service through SESM, the router serves as an L2TP access concentrator (LAC) and sends the PPP session through the service-specific L2TP tunnel. If the tunnel does not already exist, the LAC creates the proper tunnel to the L2TP network server (LNS).
Local Forwarding
SSG can be enabled to forward packets locally between directly connected subscribers.
SSG Single Host Logon
To log in to a service through the SESM, a subscriber has to log in only twice: once for the PPP session and once for the service.
IPCP Subnet
IP Control Protocol (IPCP) subnet support allows SSG to populate a host's DHCP server with a pool of IP addresses. The PPP session from the host is terminated at the SSG. During IPCP negotiations, SSG uses the IPCP subnet mask negotiation option to send a range of IP addresses to the customer premises equipment (CPE) device at the host network. The CPE assigns IP addresses to the users in the SSG's domain, thus avoiding the need for NAT at the CPE device.
To enable IPCP subnet mask, the Framed-IP-Netmask attribute (standard RADIUS attribute 9) and Framed-IP-Address attribute (standard RADIUS attribute 8) must be included in the user profile. The Framed-IP-Netmask value is passed during IPCP negotiation as an option.
Benefits
Two important aspects of providing internetworking services to a user are the access technology and the service itself. In a traditional service-provider environment, the service and access technologies are tightly joined, imposing difficulties in rolling out new services dynamically and restricting the service provider to flat billing based on the access technology.
SSG separates the service and access technologies, enabling subscribers to choose dynamically from a selection of services and service providers to implement service- and usage-based billing strategies.
SSG with SESM provides the following benefits:
Web-based Service Selection
SSG with SESM allows a service provider to create a branded web portal that presents subscribers with a menu of services. Subscribers can log in to and disconnect from different services using a web browser. This web-based service selection method takes advantage of the ubiquity of web browsers and eliminates problems related to client software (such as license fees, distribution logistics, and an increased customer support burden).
Billing Flexibility for Service Providers
Cisco SSG allows subscribers to select services dynamically. SSG then switches the subscriber traffic to the selected services. SSG monitors user connections, service login and logout, and user activity per service. By providing per-connection accounting, SSG enables service providers to bill subscribers for connection time and services used rather than charging a flat rate.
Ease in Providing Open Access
Open access is an important trend in the access-provider industry. Regulators in an increasing number of countries are demanding that access providers provide equal-access service to Internet service providers (ISPs) other than their own. SSG can enable access providers to deploy services to multiple ISPs and allow the consumer to choose dynamically the ISP they would like to use.
Flexibility and Convenience for Subscribers
SSG provides users with access to multiple simultaneous services, such as the Internet, gaming servers, connectivity to corporate networks, and the luxury of differential service selection. Users can dynamically connect to and disconnect from any of the services available to them.
Restrictions
Multicast
SSG does not process multicast packets. Multicast packets are handled by Cisco IOS software.
VPI/VCI Indexing to Service Profile
Virtual path identifier (VPI)/virtual channel identifier (VCI) indexing to service profile works only for PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE) over ATM.
Related Documents
For information about configuring SSD and SESM, see the following documents:
•
•
•
For more information about configuring RADIUS, refer to the following documents:
•
•
For more information about configuring L2TP, refer to the following documents:
•
•
Supported Platforms
The following platforms are supported in Cisco IOS Release 12.2(4)B:
•
•
The following platforms are supported in Cisco IOS Release 12.2(8)T:
•
Support for the Service Selection Gateway feature in Cisco IOS Release 12.2(8)T depends on the availability of the c7200-g4js-mz image.
Determining Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Feature Navigator home page at the following URL:
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
Interfaces
SSG is supported on enhanced ATM, Ethernet, and Fast Ethernet interfaces.
CEF Switching
IP CEF must be enabled before SSG will work.
Cisco Subscriber Edge Services Manager
If you want to perform Layer 3 service selection, you must install and configure the Cisco SESM as described in the Cisco Subscriber Edge Services Manager and Subscriber Policy Engine Installation and Configuration Guide.
Single Host Logon
In order to use the Single Host Logon feature, you must install and configure Cisco SESM or Cisco SSD version 2.5 or a later version.
Layer 2 Tunnel Protocol
To achieve 2000 L2TP sessions, you need at least 128 MB of DRAM.
Configuring SSG Features
The tasks in the following sections describe how to enable SSG and configure SSG features. Each task in the list is identified as either required or optional.
The following tasks apply to SSG when used with SSD or with SESM in RADIUS or LDAP mode:
•
•
•
•
•
•
•
•
•
•
•
•
•
Enabling SSG
SSG is disabled by default. To enable SSG, enter the following command in global configuration mode:
Verifying That SSG Is Enabled
To verify that SSG is enabled, enter the show running-config command.
Configuring Local Service Profiles
You can configure local service profiles in addition to the service profiles on the remote RADIUS server. See the section "Configuring RADIUS Profiles" for information on configuring service profiles on the remote RADIUS server.
Note
To configure a local service profile, use the following commands beginning in global configuration mode:
Verifying Local Service Profiles
To verify that local service profiles have been configured correctly, enter the show running-config command.
Configuring Security
To configure security for SSG, use the following commands in global configuration mode:
Router(config)# aaa new-model
Enables AAA.
Router(config)# aaa authentication ppp default radius
Specifies RADIUS as the default authentication method for users that log in to serial interfaces by using PPP.
Router(config)# aaa authorization network default radius
Specifies that RADIUS is the default authorization used for all network-related requests.
Router(config)# radius-server host {hostname | ip-address} [auth-port UDP-port-number] [acct-port UDP-port-number]
Specifies the RADIUS server host.
Router(config)# radius-server key AAAPassword
Sets the RADIUS shared secret between the SSG and the local AAA server.
Router(config)# radius-server vsa send
(Optional) Sends vendor-specific attributes with authentication and accounting requests to the AAA server.
Router(config)# ssg radius-helper key key
Sets the RADIUS shared secret key between SSG and SESM.
Router(config)# ssg radius-helper [auth-port UDP-port-number] [acct-port UDP-port-number]
Specifies the UDP1 default port numbers for a RADIUS authentication server (1645) and accounting server (1646).
Router(config)# ssg service-password password
Sets the password used to authenticate the SSG with the local AAA server service profiles. This value must match the value configured for the AAA server service profiles.
1 UDP = User Datagram Protocol
Verifying Security
To verify that security has been configured correctly, enter the show running-config command.
Configuring a Default Network
To configure the first IP address or subnet that users are able to access without authentication, use the following command in global configuration mode:
Verifying the Default Network
To verify that the default network has been configured correctly, enter the show running-config command.
Configuring Interfaces
When an interface is configured as an SSG uplink or downlink interface, non-SSG traffic is not allowed to pass through that interface.
If you are going to use PPP to connect subscribers to SSG, you do not have to configure any downlink interfaces. If you are using non-PPP connections, such as bridging or LAN, you must configure at least one downlink interface.
To configure a downlink interface, use the following command in global configuration mode:
Configure all interfaces that are connected to services as uplink interfaces. To configure an uplink interface, use the following command in global configuration mode:
Verifying Interfaces
To verify that interfaces have been configured correctly, enter the show ssg direction command.
Configuring Services
Note
To configure services, use the following commands in global configuration mode:
Verifying Services
To verify that services have been bound to interfaces correctly, enter the show ssg service command. To verify that the service search order and maximum services have been configured correctly, enter the show running-config command. To verify all mappings between services and IP addresses, enter the show ssg next-hop command.
Enabling SSG User-Profile Caching
SSG user-profile caching allows SSG to cache the user profiles of non-PPP users. User profiles of PPP and RADIUS proxy users are always cached by SSG by default. In situations in which the user profile is not available from other sources, SSG user-profile caching makes the user profile available for RADIUS status queries, providing support for single-sign-on functionality and for failover from one SESM to another.
Note
To enable SSG user-profile caching, use the following command in global configuration mode:
Router(config)# ssg profile-cache
Enables the caching of user profiles for non-PPP users.
Verifying SSG User-Profile Caching
To verify that SSG is configured to support user-profile caching, enter the show running-config command.
Configuring RADIUS Interim Accounting
SSG supports intermittent RADIUS accounting updates. When a user logs in to SSG, SSG sends an accounting start record to the local RADIUS server. When a user logs in to a service, SSG sends a connection start record to the local RADIUS server and to the remote RADIUS proxy server. During the time that the user is logged in to SSG, SSG sends accounting update records at specified intervals to the appropriate server. When a user logs out of a service, SSG sends a connection stop record to the local RADIUS server and to the remote RADIUS proxy server. When a user logs out of SSG, SSG sends an accounting stop record to the local RADIUS server. See the section "Configuration Examples" for more information.
Note
To configure SSG to send accounting updates to the accounting server, use the following commands in interface configuration mode:
Verifying Interim Accounting
To verify that SSG is configured to support RADIUS accounting, enter the show running-config command.
Configuring Cisco Express Forwarding
SSG works with CEF switching technology to provide maximum Layer 3 switching performance. Because CEF is topology-driven rather than traffic-driven, its performance is unaffected by network size or dynamics.
Note
To enable IP CEF, use the following command in global configuration mode:
Verifying Cisco Express Forwarding
To verify that CEF has been enabled, enter the show running-config and show ip cef commands.
Configuring Cisco IOS Network Address Translation
SSG uses Cisco IOS Network Address Translation (NAT) to map the inside IP addresses of subscribers to the outside IP addresses from the destination service networks. This version of NAT replaces the SSG NAT used in Cisco IOS Release 12.0(3)DC.
To configure Cisco IOS NAT, you must specify an inside interface from which clients connect to the SSG and an outside interface from which services are accessed. To specify the desired inside and outside interfaces, use the following commands in interface or subinterface configuration mode:
Note
Verifying Cisco IOS Network Address Translation
To verify that inside and outside ports have been specified correctly, enter the show running-config command. To view your NAT addresses, enter the show ip nat translations command.
Configuring VPI/VCI Indexing to Service Profile
Note
SSG supports virtual path identifier/virtual channel identifier (VPI/VCI) closed user groups by allowing VPI/VCIs to be bound to a given service. All users accessing SSG through the VPI/VCI or a range of VPI/VCIs will be able to access the service. You can specify whether users are allowed to access only the bound service or other additional services to which they subscribe. A closed user group service can be selected only through the VPI/VCI and not by entering the domain name in the username of a PPP session.
Note
To configure VPI/VCI closed user groups, you must map VPI/VCIs to a given service. To map VCs to service names, use the following command in global configuration mode:
Router(config)# ssg vc-service-map service-name [interface number] start-vpi | start-vpi/vci [end-vpi | end-vpi/vci] exclusive | non-exclusive
Map VCs to service names.
Verifying VPI/VCI Indexing to Service Profile
To view service-name-to-VC mappings, enter the show running-config and show ssg vc-service-map commands.
Monitoring VPI/VCI Indexing to Service Profile
Configuring SSG to Support L2TP Service Type
Note
SSG can be configured to support L2TP, so that when a subscriber selects a service through the SESM, the router serves as a LAC and sends the PPP session through the service-specific L2TP tunnel. If the tunnel does not already exist, the LAC creates the proper tunnel to the LNS.
To configure SSG to support L2TP, perform the tasks in the following sections:
•
Configuring SSG As a LAC
To configure SSG as a LAC, use the following command in global configuration mode:
Verifying the LAC Configuration
To verify the LAC configuration, enter the show running-config command.
Configuring RADIUS Profiles for SSG Support of L2TP
The following vendor-specific attributes are used by the SSG to support L2TP:
For general information on configuring RADIUS profiles for SSG, see the section "Configuring RADIUS Profiles."
Cisco-AVpair VPDN Attributes
Table 1 lists the Cisco-AVpair attributes used in the service profile to configure VPDN.
Table 1 Cisco AVPair Attributes
Specifies the IP addresses of the home gateways (LNSes1 ) to receive the L2TP connections.
Specifies the name of the tunnel that must match the tunnel ID specified in the LNS VPDN group.
Specifies the secret (password) used for L2TP tunnel authentication.
1 LNS = L2TP network server.
Account-Info VPDN Attributes
Table 2 lists the Account-Info attributes used in the user profile to subscribe the user to a VPDN service.
Service-Info VPDN Attributes
Table 3 lists the Service-Info attributes used in the service profile to define the L2TP service parameter.
Verifying the RADIUS Profile Configurations
To verify the RADIUS profiles, refer to the user documentation for your RADIUS server.
Configuring the LNS
To configure the L2TP network server (LNS), use the following commands beginning in global configuration mode.
Step 1
Router(config)# username name password secret
(Optional) Specifies the password to be used for PAP1 and CHAP2 . Subscribers can also be defined and authenticated on the AAA server serving the LNS.
Step 2
Router(config)# vpdn-group number
Selects the VPDN group. Each L2TP tunnel requires a unique VPDN group. Enters VPDN group configuration mode.
Step 3
Router(config-vpdn)# accept-dialin
Creates an accept dial-in VPDN group. VPDN Accept-dialin group configuration mode.
Step 4
Router(config-vpdn-acc-in)# protocol l2tp
Configures the VPDN to use L2TP.
Step 5
Router(config-vpdn-acc-in)# virtual-template template-number
Specifies which virtual template will be used to clone virtual access interfaces.
Step 6
Router(config-vpdn-acc-in)# exit
Returns to VPDN group configuration mode.
Step 7
Router(config-vpdn)# terminate-from hostname hostname
Specifies the tunnel ID that will be required when a VPDN tunnel is accepted. This must match the VPDN tunnel ID configured in the RADIUS service profile.
Step 8
Router(config-vpdn)# l2tp tunnel password password
Identifies the password that the router will use for tunnel authentication.
Step 9
Router(config-vpdn)# exit
Returns to global configuration mode.
Step 10
Router(config)# interface Virtual-Template number
Creates a virtual template interface that can clone new virtual access interfaces.
Step 11
Router(config-if)# ip unnumbered interface-type interface-number
Configures the interface as unnumbered and provides a local address. Enters interface configuration mode.
Step 12
Router(config-if)# peer default ip address pool pool-name
Specifies the pool from which to retrieve the IP address to assign to a remote peer dialing in to the interface.
Step 13
Router(config-if)# ppp authentication {chap | chap pap | pap chap | pap}
Specifies the order in which the CHAP or PAP protocols are requested on the interface.
1 PAP = Password Authentication Protocol
2 CHAP = Challenge Handshake Authentication Protocol
Monitoring L2TP
To monitor and maintain the SSG support of L2TP, use the following commands in privileged EXEC mode:
