So far in this chapter, the SuperCom RADIUS server has authenticated user PPP sessions that terminate on the San Jose PE router. In the FastFoods case, the RADIUS access-requests were proxied to the FastFoods RADIUS server at Lyon where the actual user information was stored. As has been discussed previously, this requires that a route be available between the two RADIUS servers to allow them to communicate. It also involves a series of configuration steps to import and export routes between the Management VRF, customer VRF, and global routing table. Such configurations, although quite common in MPLS VPN networks, can be prone to error and security issues.
You can eliminate the requirement of a RADIUS proxy for remote access by using a new feature call per-VRF AAA. This feature allows direct access to a customer RADIUS server from within the VRF for user authentication. The advantage of this is that a service provider RADIUS server is not required, nor are complex Intranet configurations for proxy RADIUS access. Because only one RADIUS server is required, a failure point is removed and access-request response time is improved.
The initial implementation of per-VRF AAA requires that you define a virtual-template for each VRF that contains a customer RADIUS server. Apart from the VRF name and interface addressing method, the virtual-template supplies the relevant configurations that define the access to the customer RADIUS server. A per-VRF virtual-template is required because the VHG/PE router forwards only a single access-request containing the username@domainname and password (received through the L2TP tunnel). Therefore, the VHG/PE router must know the VRF and RADIUS server for a domain before the PPP session is established so that the received
username@domainname and password can be forwarded to the correct customer RADIUS server.
NOTE
Future enhancements to the per-VRF AAA feature plan to allow the service provider
• Table of Contents
• Index
MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504
With MPLS and VPN Architectures, Volume II, you'll learn:
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.
MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced
RADIUS server to dynamically provide the customer RADIUS information (as well as the VRF, interface addressing, and so on). Therefore, future versions will have three RADIUS requests: one from the LAC to the SP RADIUS server for tunnel information, one for the LNS to SP RADIUS server for VPN and Customer RADIUS information, and one from the LNS to Customer RADIUS server to authenticate the customer.
Figure 2-27 shows the per-VRF AAA in the SuperCom network for FastFoods.
Figure 2-27. Per-VRF AAA VPDN Access
Essentially, remote access is the same as the VPDN scenario described previously, except that configuration information for the access interface is obtained from a specific virtual-template for FastFoods. This virtual-virtual-template is associated with a vpdn-group that is configured to terminate FastFoods users only. You do this by using a different hostname in the vpdn-group configuration. When the San Jose NAS/LAC receives a call for elvis@fastfoods.com, it creates the L2TP tunnel as normal, but instead of using SuperCom_LAC as the L2TP client name, a different LAC client name is used to identify FastFoods (in our case, it is FastFoods_LAC). The SuperCom RADIUS server (which is not shown) supplies this information. When the San Jose VHG/PE router receives the L2TP request, it searches for a VPDN-group that matches the LAC client name (in the terminate-from host command) and then uses the associated template. The virtual-template provides the information that allows the San Jose VHG/PE router direct access to the FastFoods RADIUS server with the FastFoods VRF so that elvis@fastfoods.com can be
authenticated.
The SuperCom LAC/NAS configuration remains the same as the VPDN scenario. However, the configuration changes required for per-VRF AAA for other components are shown in the following sections.
Configuring the SuperCom San Jose PE Router
The San Jose VHG/PE router requires several configuration changes. First, you must configure an AAA server group that defines the details of the FastFoods RADIUS server. The configuration for the FastFoods RADIUS server is shown in Example 2-61. To support the possibility of overlapping addresses of customer RADIUS servers when there are multiple VRFs using the per-VRF AAA feature, a new command server-private has been defined under the server group. This allow
• Table of Contents
• Index
MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504
With MPLS and VPN Architectures, Volume II, you'll learn:
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.
MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced
RADIUS servers that have the same IP address to be defined but associated with a different VRF.
The server group also associates the VRF where the private RADIUS server is located. In our example, the FastFoods VRF uses the RADIUS server 10.2.1.5 located at Lyon, which is directly reachable in the VRF routing table. In addition, you must configure a method list for
authentication and authorization for the FastFoods server group. The virtual-template for FastFoods uses these method lists.
Example 2-61. Configuring the FastFoods RADIUS Server Group
aaa group server radius SG_FastFoods
server-private 10.2.1.5 auth-port 1645 acct-port 1646 key Two4a$
ip vrf forwarding FastFoods
!
aaa authentication ppp FastFoods_List group SG_FastFoods aaa authorization network FastFoods_List group SG_FastFoods
Next, you must define RADIUS-specific commands for the VRF, as shown in Example 2-62. In our case, the FastFoods RADIUS server contains unqualified usernames (no "@fastfoods.com");
therefore, the first command strips off the domain name for any access-requests in the FastFoods VRF. The second command provides a source address in the VRF that allows the FastFoods RADIUS server to reach the San Jose PE router.
Example 2-62. FastFoods RADIUS-Specific Commands for per-VRF AAA
radius-server domain-stripping vrf FastFoods
!
ip radius source-interface lo10 vrf FastFoods
Finally, the FastFoods-specific vpdn-group and virtual-template are configured, as shown in Example 2-63. Note the hostname for the vpdn-group matches the tunnel client name attribute from the SuperCom RADIUS server FastFoods domain entry. Any FastFoods PPP sessions that are established over the L2TP tunnel for this vpdn-group use the virtual-template3. The virtual template defines all the relevant information to create a virtual-access interface in the FastFoods VRF, including which AAA method list to use for FastFoods users. The FastFoods_List causes the access-request message to be sent to the FastFoods RADIUS server 10.2.1.5 with a source address of 192.168.2.100 (loopback 10).
Example 2-63. VPDN and Virtual Template Configuration for per-VRF
AAA
• Table of Contents
• Index
MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504
With MPLS and VPN Architectures, Volume II, you'll learn:
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.
MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced vpdn-group 2
accept-dialin protocol l2tp virtual-Template 3
terminate-from hostname FastFoods_LAC local name SuperCom_LNS
l2tp tunnel password vision
!
interface virtual-Template3 ip vrf forwarding FastFoods ip unnumbered Loopback10
peer default ip address dhcp-pool ppp authentication chap FastFoods_List ppp authorization FastFoods_List
SuperCom RADIUS Server Attributes
The only attribute that changes for the FastFoods domain entry is the name of the Tunnel client, which is FastFoods_LAC (see Table 2-15).
Table 2-15. SuperCom RADIUS Attributes for per-VRF AAA
Attribute (Type) Value
User-Name (1) fastfoods.com
User-Password (2) cisco
Tunnel-Type (64) 3 (L2TP)
Tunnel-Medium-Type (65) 1 (IPv4)
Tunnel-Server-Endpoint (67) 194.22.15.2 (San Jose VHG/PE)
Tunnel-Password (69) vision
Tunnel-Client-Auth-ID (90) FastFoods_LAC
Tunnel-Server-Auth-ID (91) SuperCom_LNS
• Table of Contents
• Index
MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504
With MPLS and VPN Architectures, Volume II, you'll learn:
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.
MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced