Case Studies

Case Studies
In this case study, VPDN is configured so that a user dials into the L2TP Access Concentrator (LAC), and based on the domain name, two things happen: a VPDN tunnel is created to the L2TP Network Server (LNS), and the actual user is authenticated by the Radius Server on the LNS side. This case study is based on Figure 9-10.


Figure 9-10. Basic VPDN Setup

[View full size image]





Router Configuration
As shown in Figure 9-10, there are two routers (LAC and LNS) involved for a successful VPDN implementation. In this section, work through the configuration of these two routers.

LAC Configuration
LAC configuration involves turning on VPDN, and configuring AAA for domain name authentication. Example 9-30 shows the configuration of the LAC with an explanation.

Example 9-30. Configuration of the LAC Router
LAC# show running-config
Building configuration...
Current configuration:
!
version 12.2
service timestamps debug datetime
service timestamps log uptime
no service password-encryption
!
hostname LAC
!
!AAA commands needed to authenticate the user and obtain
!VPDN tunnel information. Don't forget to turn on the authorization for PPP
aaa new-model
aaa authentication login default group local
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable password cisco^%we@sd
!
!The following line is for router management, not significance for VPDN.
!For simplicity, cisco123 is used as password, use strong password for
!production router.
username cisco password 0 cisco123
ip subnet-zero
no ip domain-lookup
!
!The following line turns on VPDN on the router.
vpdn enable
!
!Following line is needed to make VPDN tunnel authorization to be performed based on the
!domain name. Note that the default is DNIS.
vpdn search-order domain
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
no ip directed-broadcast
!
interface Async1
ip unnumbered Ethernet0
no ip directed-broadcast
ip tcp header-compression passive
encapsulation ppp
async mode dedicated
peer default ip address pool async
no cdp enable
ppp authentication chap
!
interface Group-Async1
physical-layer async
no ip address
no ip directed-broadcast
!
ip local pool default 10.1.5.5 10.1.5.50
ip local pool async 10.1.10.1 10.1.10.5
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!Define the RADIUS server with the following command. Use strong password here. For
!simplicity, used ciscohtts123 in this example
radius-server host 10.1.1.40 auth-port 1645 acct-port 1646 key ciscohtts123
!
line con 0
transport input none
line 1
session-timeout 20
exec-timeout 0 0
password cisco123
autoselect during-login
autoselect ppp
modem InOut
transport preferred none
transport output none
stopbits 1
speed 38400
flowcontrol hardware
line 2 16
modem InOut
transport input all
speed 38400
flowcontrol hardware
line aux 0
line vty 0 4
password cisco123
!
end
LAC#





Example 9-31 shows the configuration of the HomeGateway.

Example 9-31. Configuration of LNS Router
LNS# show running-config
Building configuration...
Current configuration:
!
version 12.2
service timestamps debug datetime
service timestamps log uptime
no service password-encryption
!
hostname LNS
!You must make sure to turn on PPP Authorization along with other authentication
!commands.
aaa new-model
aaa authentication login default group local
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable password cisco^%we@sd
!
username cisco password 0 cisco123
ip subnet-zero
no ip domain-lookup
!User the_LNS is used to authenticate the tunnel. The password used here must match the
!vpdn:l2tp-tunnel-password configured in the LAC RADIUS server.
username LNS password 0 DHAKA
!Enable VPDN on the LNS.
vpdn enable
!VPDN group for connection from the LAC.
vpdn-group 1
!This command specifies that the router uses virtual-template 1 for tunnel-id DOHA
!(which matches the tunnel-id configured in the LAC RADIUS server).
accept dialin l2tp virtual-template 1 remote DOHA
!The username used to authenticate this tunnel is the_LNS (configured above).
local name the_LNS
!
interface Ethernet0
ip address 10.1.1.15 255.255.255.0
no ip directed-broadcast
!
!Virtual-template that is used for the incoming connection.
interface Virtual-Template1
ip unnumbered Ethernet0
no ip directed-broadcast
peer default ip address pool default
ppp authentication chap
!
interface Async1
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
async mode interactive
peer default ip address pool async
ppp authentication chap
!
ip local pool default 10.1.6.1 10.1.6.5
ip local pool async 10.1.12.100 10.1.12.110
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
!RADIUS server host and key information is defined with the following line. It's
!recommended to define a strong key
radius-server host 10.1.1.40 auth-port 1645 acct-port 1646 key ciscohtts123
!
line con 0
transport input none
line 1
session-timeout 20
exec-timeout 5 0
password ww
autoselect during-login
autoselect ppp
modem InOut
transport input all
escape-character BREAK
stopbits 1
speed 38400
flowcontrol hardware
line 2 8
line aux 0
line vty 0 4
password ww
!
end
LNS#





Once both LAC and LNS configuration is complete, proceed with the RADIUS Server as described in the following section.

RADIUS Server Configuration
In this case study, Cisco Secure ACS Windows is used as a RADIUS Server. This section explains the configuration required on both the LAC and LNS side RADIUS section.

LAC RADIUS Configuration
The LAC router strips off the username and sends the domain name to the LAC RADIUS Server as part of the authentication/authorization request. So the LAC RADIUS Server needs to configure the domain name as a username along with the tunnel attributes. Work through the following steps to complete this task:

Step 1. From left Navigation, click on Network Configuration and set up the LAC Network Access Server (NAS) as the AAA client to use RADIUS (Cisco IOS/PIX).


Step 2. Configure the user 'cisco.com' with the password cisco for both plain and CHAP. This is the username that is used for the tunnel attributes.



Step 3. Click on the Group Setting button in the left navigation bar. Select the group the user belongs to and click Edit Settings. Scroll down to the IETF RADIUS section and select Attribute 6 Service-Type as Outbound (see Figure 9-11). If all checkable options do not appear, go into Interface Configuration and check the various boxes to make them appear in the group area.





Figure 9-11. LAC RADIUS Server Configuration for Tunnel Attributes

[View full size image]





Step 4. In the Cisco IOS/PIX RADIUS attributes section at the bottom, check the box for 009\001 cisco-av-pair, and type all the attributes as shown in Figure 9-11.



LNS RADIUS Configuration
Actual user authentication occurs at the LNS RADIUS Server. Complete the following steps to configure the LNS RADIUS Server:

Step 1. Configure the user id cse@cisco.com and input any password for plain and CHAP.


Step 2. Click on the Group Setup button in the left bar. Select the Group the user belongs to and click Edit Settings.


Step 3. In the section for Internet Engineering Task Force (IETF) RADIUS Attributes, select Service-type (attribute 6) = Framed and Framed-Protocol (attribute 7) = PPP from the drop-down menu. Note that you must also click the check box located next to the selected attributes Service-Type and Framed-Protocol.



If you follow the steps for LAC, LNS, and RADIUS Servers configuration for the corresponding sites, you may not run into any issues with this VPDN implementation. However, most of the problems arise during run time, so it's extremely important to become familiar with the troubleshooting steps as explained in the following section.

Troubleshooting Steps
Show commands are extremely important to display the VPDN tunnel information to verify if your configuration is working correctly or not. The following two show commands are used frequently:

show vpdn tunnel Displays information about all active Layer 2 forwarding and L2TP tunnels in summary-style format.

show caller ip Displays a summary of caller information for the IP address you provide.

Once a problem is identified with the show command, run the debug command to find out details. Along with debug aaa authentication|authorization|accounting, and debug radius, the following list of commands will assist you in troubleshooting the VPDN issues:

debug vtemplate Displays cloning information for a virtual access interface, from the time it is cloned from a virtual template to the time the virtual access interface comes down when the call ends.

debug vpdn error Displays errors that prevent a PPP tunnel from being established, or errors that cause an established tunnel to be closed.

debug vpdn events Displays messages about events that are part of normal PPP tunnel establishment or shutdown.

debug vpdn l2x-errors Displays Layer 2 protocol errors that prevent Layer 2 establishment or prevent its normal operation.

debug vpdn l2x-events Displays messages about events that are part of normal PPP tunnel establishment or shutdown for Layer 2.

debug vpdn l2tp-sequencing Displays messages about L2TP.

If you are having problems with successful VPDN connections, analyze the debug output on both LAC and LNS routers. The following two sections demonstrate that analysis.

LAC Router Troubleshooting
Before looking at some of problems that you may encounter on the LAC, look at the debug as shown in Example 9-32 when the VPDN works.


Example 9-32. debug Output from the LAC When VPDN Works
LAC# show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
L2X protocol events debugging is on
L2X protocol errors debugging is on
VPDN events debugging is on
VPDN errors debugging is on
L2TP data sequencing debugging is on
VTEMPLATE:
Virtual Template debugging is on
Radius protocol debugging is on
LAC#
Mar 9 12:22:16: As1 AAA/AUTHOR/FSM: (0):
LCP succeeds trivially
2d18h: %LINK-3-UPDOWN: Interface Async1, changed state to up
Mar 9 12:22:17: As1 VPDN: Looking for tunnel -- cisco.com --
Mar 9 12:22:17: AAA: parse name=Async1 idb type=10 tty=1
Mar 9 12:22:17: AAA: name=Async1 flags=0x11 type=4 shelf=0 slot=0
adapter=0 port=1 channel=0
Mar 9 12:22:17: AAA/AUTHEN: create_user (0x25BA84)
user='cisco.com' ruser='' port='Async1' rem_addr=''
authen_type=NONE service=LOGIN priv=0
Mar 9 12:22:17: AAA/AUTHOR/VPDN (6239469): Port='Async1' list='default' service=NET
Mar 9 12:22:17: AAA/AUTHOR/VPDN: (6239469) user='cisco.com'
Mar 9 12:22:17: AAA/AUTHOR/VPDN: (6239469) send AV service=ppp
Mar 9 12:22:17: AAA/AUTHOR/VPDN: (6239469) send AV protocol=vpdn
Mar 9 12:22:17: AAA/AUTHOR/VPDN (6239469) found list "default"
Mar 9 12:22:17: AAA/AUTHOR/VPDN: (6239469) Method=RADIUS
Mar 9 12:22:17: RADIUS: authenticating to get author data
Mar 9 12:22:17: RADIUS: ustruct sharecount=2
!Sending the initial request packet to the RADIUS Server
Mar 9 12:22:17: RADIUS: Initial Transmit Async1 id 66
10.1.1.40:1645, Access-Request, len 77
Mar 9 12:22:17: Attribute 4 6 0A1F0106
Mar 9 12:22:17: Attribute 5 6 00000001
Mar 9 12:22:17: Attribute 61 6 00000000
Mar 9 12:22:17: Attribute 1 15 7274702E
Mar 9 12:22:17: Attribute 2 18 6AB5A2B0
Mar 9 12:22:17: Attribute 6 6 00000005
!Access received from the RADIUS Server
Mar 9 12:22:17: RADIUS: Received from id 66
10.1.1.40:1645, Access-Accept, len 158
Mar 9 12:22:17: Attribute 6 6 00000005
Mar 9 12:22:17: Attribute 26 28 0000000901167670
Mar 9 12:22:17: Attribute 26 29 0000000901177670
Mar 9 12:22:17: Attribute 26 36 00000009011E7670
Mar 9 12:22:17: Attribute 26 39 0000000901217670
Mar 9 12:22:17: RADIUS: saved authorization data for user 25BA84 at 24C488
!RADIUS server supplies the VPDN tunnel attributes as shown by the following four lines.
Mar 9 12:22:17: RADIUS: cisco AVPair "vpdn:tunnel-id=DOHA"
Mar 9 12:22:17: RADIUS: cisco AVPair "vpdn:tunnel-type=l2tp"
Mar 9 12:22:17: RADIUS: cisco AVPair "vpdn:ip-addresses=10.1.1.15,"
Mar 9 12:22:17: RADIUS: cisco AVPair "vpdn:l2tp-tunnel-password=DHAKA"
Mar 9 12:22:17: AAA/AUTHOR (6239469): Post authorization status = PASS_ADD
Mar 9 12:22:17: AAA/AUTHOR/VPDN: Processing AV service=ppp
Mar 9 12:22:17: AAA/AUTHOR/VPDN: Processing AV protocol=vpdn
Mar 9 12:22:17: AAA/AUTHOR/VPDN: Processing AV tunnel-id=DOHA
Mar 9 12:22:17: AAA/AUTHOR/VPDN: Processing AV tunnel-type=l2tp
Mar 9 12:22:17: AAA/AUTHOR/VPDN: Processing AV ip-addresses=10.1.1.15,
Mar 9 12:22:17: AAA/AUTHOR/VPDN: Processing AV l2tp-tunnel-password=DHAKA
Mar 9 12:22:17: As1 VPDN: Get tunnel info for cisco.com with LAC DOHA, IP 10.1.1.15
Mar 9 12:22:17: AAA/AUTHEN: free_user (0x25BA84)
user='cisco.com' ruser='' port='Async1' rem_addr=''
authen_type=NONE service=LOGIN priv=0
!The following line shows the LNS ip address which is 10.1.1.15
Mar 9 12:22:17: As1 VPDN: Forward to address 10.1.1.15
Mar 9 12:22:17: As1 VPDN: Forwarding...
Mar 9 12:22:17: AAA: parse name=Async1 idb
type=10 tty=1
Mar 9 12:22:17: AAA: name=Async1 flags=0x11 type=4
shelf=0 slot=0 adapter=0 port=1 channel=0
Mar 9 12:22:17: AAA/AUTHEN: create_user (0xB7918)
user='cse@cisco.com' ruser='' port='Async1'
rem_addr='async' authen_type=CHAP service=PPP priv=1
Mar 9 12:22:17: As1 VPDN: Bind interface direction=1
Mar 9 12:22:17: Tnl/Cl 51/1 L2TP: Session FS enabled
Mar 9 12:22:17: Tnl/Cl 51/1 L2TP: Session state change from idle to wait-for-tunnel
Mar 9 12:22:17: As1 51/1 L2TP: Create session
Mar 9 12:22:17: Tnl 51 L2TP: SM State idle
Mar 9 12:22:17: Tnl 51 L2TP: O SCCRQ
Mar 9 12:22:17: Tnl 51 L2TP: Tunnel state change from idle to wait-ctl-reply
Mar 9 12:22:17: Tnl 51 L2TP: SM State wait-ctl-reply
!Following line shows username is forwarded to LNS
Mar 9 12:22:17: As1 VPDN: cse@cisco.com is forwarded
Mar 9 12:22:17: Tnl 51 L2TP: I SCCRP from the_LNS
!Tunnel authentication is show successful here by the following three lines.
Mar 9 12:22:17: Tnl 51 L2TP: Got a challenge from remote peer, the_LNS
Mar 9 12:22:17: Tnl 51 L2TP: Got a response from remote peer, the_LNS
Mar 9 12:22:17: Tnl 51 L2TP: Tunnel Authentication success
Mar 9 12:22:17: Tnl 51 L2TP: Tunnel state change from
wait-ctl-reply to established
Mar 9 12:22:17: Tnl 51 L2TP: O SCCCN to the_LNS tnlid 38
Mar 9 12:22:17: Tnl 51 L2TP: SM State established
Mar 9 12:22:17: As1 51/1 L2TP: O ICRQ to the_LNS 38/0
Mar 9 12:22:17: As1 51/1 L2TP: Session state change from
wait-for-tunnel to wait-reply
Mar 9 12:22:17: As1 51/1 L2TP: O ICCN to the_LNS 38/1
Mar 9 12:22:17: As1 51/1 L2TP: Session state change from
wait-reply to established
2d18h: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Async1, changed state to up
LAC#





The following is a list of common problems you may encounter with VPDN on the LAC router. Examples shown for every problem are generated with the same debug as shown in Example 9-31.

Wrong domain name in the username If the user name comes in with the wrong domain name, the RADIUS Server will cause the domain name authentication to fail. In Example 9-33, the debug shows that the user comes in as cse@xyz.com instead of cse@cisco.com, hence the LAC RADIUS Server does not recognize this domain.

Example 9-33. Wrong Domain Name Fails on the LAC Router
LAC#
Mar 9 12:50:48: RADIUS: Received from id 86 10.1.1.40:1645, Access-Reject, len 46
Mar 9 12:50:48: Attribute 18 26 41757468
Mar 9 12:50:48: RADIUS: failed to get authorization data: authen status = 2
%VPDN-6-AUTHORFAIL: L2F NAS LAC, AAA authorization failure for As1 user cse@xyz.com
LAC#





Invalid Tunnel IP from the RADIUS Server If the user profile on CS ACS is configured for the domain name with the wrong tunnel IP address, the LAC router will get the wrong tunnel IP. Therefore, the user attempts to establish a session that will fail with the debug message shown in Example 9-34.

Example 9-34. debug Output on the LAC Router When CS ACS Provides Wrong Tunnel IP
LAC#
Mar 9 12:55:45: As1 VPDN: Forward to address 1.1.1.1
Mar 9 12:55:45: As1 VPDN: Forwarding...
Mar 9 12:55:45: Tnl 56 L2TP: Tunnel state change from idle to wait-ctl-reply
Mar 9 13:32:46: As1 56/1 L2TP: Discarding data packet because tunnel is not open
LAC#





Tunnel Password Mismatch The tunnel password that is provided by the LAC RADIUS Server to the LAC router should match the LNS router password. If they do not match, debug messages as shown in Example 9-35 will result.

Example 9-35. debug Message When There Is Tunnel Password Mismatch between the LAC and LNS
LAC#
Mar 9 12:57:37: Tnl 59 L2TP: Tunnel Authentication fails for the_LNS
Mar 9 12:57:37: Tnl 59 L2TP: Expected E530DA13B826685C678589250C0BF525
Mar 9 12:57:37: Tnl 59 L2TP: Got E09D90E8A91CF1014C91D56F65BDD052
Mar 9 12:57:37: Tnl 59 L2TP: O StopCCN to the_LNS tnlid 44
Mar 9 12:57:37: Tnl 59 L2TP: Tunnel state change from wait-ctl-reply to shutting-down
Mar 9 12:57:37: Tnl 59 L2TP: Shutdown tunnel
LAC#





LNS Router Troubleshooting
Just as with the LAC router, it is worth going through a good debug output on the LNS router. Example 9-36 shows a good debug from the LNS when the VPDN works.

Example 9-36. debug Output of LNS Router When VPDN Works
LNS# show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
AAA Accounting debugging is on
VPN:
L2X protocol events debugging is on
L2X protocol errors debugging is on
VPDN events debugging is on
VPDN errors debugging is on
L2TP data sequencing debugging is on
VTEMPLATE:
Virtual Template debugging is on
Radius protocol debugging is on
LNS#
Mar 9 12:22:16: L2TP: I SCCRQ from DOHA tnl 51
!The following line shows tunnel created for the LAC
Mar 9 12:22:16: Tnl 38 L2TP: New tunnel created for
remote DOHA, address 10.1.1.10
Mar 9 12:22:16: Tnl 38 L2TP: Got a challenge in SCCRQ, DOHA
Mar 9 12:22:16: Tnl 38 L2TP: O SCCRP to DOHA tnlid 51
Mar 9 12:22:16: Tnl 38 L2TP: Tunnel state change from idle to wait-ctl-reply
Mar 9 12:22:16: Tnl 38 L2TP: I SCCCN from DOHA tnl 51
Mar 9 12:22:16: Tnl 38 L2TP: Got a Challenge Response in SCCCN from DOHA
!Tunnel authentication is successful
Mar 9 12:22:16: Tnl 38 L2TP: Tunnel Authentication success
Mar 9 12:22:16: Tnl 38 L2TP: Tunnel state change from wait-ctl-reply to established
Mar 9 12:22:16: Tnl 38 L2TP: SM State established
Mar 9 12:22:17: Tnl 38 L2TP: I ICRQ from DOHA tnl 51
Mar 9 12:22:17: Tnl/Cl 38/1 L2TP: Session FS enabled
Mar 9 12:22:17: Tnl/Cl 38/1 L2TP: Session state change
from idle to wait-for-tunnel
Mar 9 12:22:17: Tnl/Cl 38/1 L2TP: New session created
Mar 9 12:22:17: Tnl/Cl 38/1 L2TP: O ICRP to DOHA 51/1
Mar 9 12:22:17: Tnl/Cl 38/1 L2TP: Session state change
from wait-for-tunnel to wait-connect
Mar 9 12:22:17: Tnl/Cl 38/1 L2TP: I ICCN from DOHA tnl 51, cl 1
Mar 9 12:22:17: Tnl/Cl 38/1 L2TP: Session state change
from wait-connect to established
Mar 9 12:22:17: Vi1 VTEMPLATE: Reuse Vi1, recycle queue size 0
Mar 9 12:22:17: Vi1 VTEMPLATE: Hardware address 00e0.1e68.942c
!Following three lines shows using Virtual-template 1 for this user.
Mar 9 12:22:17: Vi1 VPDN: Virtual interface created for cse@cisco.com
Mar 9 12:22:17: Vi1 VPDN: Set to Async interface
Mar 9 12:22:17: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking
Mar 9 12:22:17: Vi1 VTEMPLATE: Has a new cloneblk vtemplate, now it has vtemplate
Mar 9 12:22:17: Vi1 VTEMPLATE: ************* CLONE
VACCESS1 *****************
Mar 9 12:22:17: Vi1 VTEMPLATE: Clone from Virtual-Template1
interface Virtual-Access1
default ip address
no ip address
encap ppp
ip unnum eth 0
no ip directed-broadcast
peer default ip address pool default
ppp authen chap
end

Mar 9 12:22:18: cse@cisco.com 38/1 L2TP: Session
with no hwidb
02:23:59: %LINK-3-UPDOWN: Interface Virtual-Access1,
changed state to up
Mar 9 12:22:19: Vi1 AAA/AUTHOR/FSM: (0): LCP succeeds
trivially
Mar 9 12:22:19: Vi1 VPDN: Bind interface direction=2
Mar 9 12:22:19: Vi1 VPDN: PPP LCP accepted rcv CONFACK
Mar 9 12:22:19: Vi1 VPDN: PPP LCP accepted sent CONFACK
Mar 9 12:22:19: Vi1 L2X: Discarding packet because of
no mid/session
Mar 9 12:22:19: AAA: parse name=Virtual-Access1 idb type=21 tty=-1
Mar 9 12:22:19: AAA: name=Virtual-Access1 flags=0x11
type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
Mar 9 12:22:19: AAA/AUTHEN: create_user (0x2462A0)
user='cse@cisco.com' ruser='' port='Virtual-Access1'
rem_addr='' authen_type=CHAP service=PPP priv=1
Mar 9 12:22:19: AAA/AUTHEN/START (2229277178):
port='Virtual-Access1' list='' action=LOGIN
service=PPP
Mar 9 12:22:19: AAA/AUTHEN/START (2229277178):
using "default" list
Mar 9 12:22:19: AAA/AUTHEN/START (2229277178):
Method=RADIUS
Mar 9 12:22:19: RADIUS: ustruct sharecount=1
!Access-request packet is sending to the RADIUS Server
Mar 9 12:22:19: RADIUS: Initial Transmit Virtual-Access1
id 78 171.68.120.194:1645, Access-Request, len 92
Mar 9 12:22:19: Attribute 4 6 0A1F0109
Mar 9 12:22:19: Attribute 5 6 00000001
Mar 9 12:22:19: Attribute 61 6 00000005
Mar 9 12:22:19: Attribute 1 23 6464756E
Mar 9 12:22:19: Attribute 3 19 34A66389
Mar 9 12:22:19: Attribute 6 6 00000002
Mar 9 12:22:19: Attribute 7 6 00000001
Mar 9 12:22:19: RADIUS: Received from id 78
!Access-Accept received as shown here
171.68.120.194:1645, Access-Accept, len 32
Mar 9 12:22:19: Attribute 6 6 00000002
Mar 9 12:22:19: Attribute 7 6 00000001
Mar 9 12:22:19: AAA/AUTHEN (2229277178): status = PASS
Mar 9 12:22:19: Vi1 AAA/AUTHOR/LCP: Authorize LCP
Mar 9 12:22:19: AAA/AUTHOR/LCP Vi1 (1756915964):
Port='Virtual-Access1' list='' service=NET
Mar 9 12:22:19: AAA/AUTHOR/LCP: Vi1 (1756915964)
user='cse@cisco.com'
Mar 9 12:22:19: AAA/AUTHOR/LCP: Vi1 (1756915964)
send AV service=ppp
Mar 9 12:22:19: AAA/AUTHOR/LCP: Vi1 (1756915964)
send AV protocol=lcp
Mar 9 12:22:19: AAA/AUTHOR/LCP (1756915964) found
list "default"
Mar 9 12:22:19: AAA/AUTHOR/LCP: Vi1 (1756915964)
Method=RADIUS
Mar 9 12:22:19: AAA/AUTHOR (1756915964): Post
authorization status = PASS_REPL
Mar 9 12:22:19: Vi1 AAA/AUTHOR/LCP: Processing
AV service=ppp
Mar 9 12:22:19: AAA/ACCT/NET/START User
cse@cisco.com, Port Virtual-Access1, List ""
Mar 9 12:22:19: AAA/ACCT/NET: Found list "default"
Mar 9 12:22:19: Vi1 AAA/AUTHOR/FSM: (0): Can we
start IPCP?
Mar 9 12:22:19: AAA/AUTHOR/FSM Vi1 (1311872588):
Port='Virtual-Access1' list='' service=NET
Mar 9 12:22:19: AAA/AUTHOR/FSM: Vi1 (1311872588)
user='cse@cisco.com'
Mar 9 12:22:19: AAA/AUTHOR/FSM: Vi1 (1311872588)
send AV service=ppp
Mar 9 12:22:19: AAA/AUTHOR/FSM: Vi1 (1311872588)
send AV protocol=ip
Mar 9 12:22:19: AAA/AUTHOR/FSM (1311872588)
found list "default"
Mar 9 12:22:19: AAA/AUTHOR/FSM: Vi1 (1311872588)
Method=RADIUS
Mar 9 12:22:19: AAA/AUTHOR (1311872588): Post
authorization status = PASS_REPL
Mar 9 12:22:19: Vi1 AAA/AUTHOR/FSM: We can start
IPCP
Mar 9 12:22:19: RADIUS: ustruct sharecount=2
Mar 9 12:22:19: RADIUS: Initial Transmit Virtual-Access1
id 79 171.68.120.194:1646, Accounting-Request, len 101
Mar 9 12:22:19: Attribute 4 6 0A1F0109
Mar 9 12:22:19: Attribute 5 6 00000001
Mar 9 12:22:19: Attribute 61 6 00000005
Mar 9 12:22:19: Attribute 1 23 6464756E
Mar 9 12:22:19: Attribute 40 6 00000001
Mar 9 12:22:19: Attribute 45 6 00000001
Mar 9 12:22:19: Attribute 6 6 00000002
Mar 9 12:22:19: Attribute 44 10 30303030
Mar 9 12:22:19: Attribute 7 6 00000001
Mar 9 12:22:19: Attribute 41 6 00000000
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Start. Her
address 0.0.0.0, we want 0.0.0.0
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Processing
AV service=ppp
!The authorization is shown to be successful
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Authorization
succeeded
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Done. Her
address 0.0.0.0, we want 0.0.0.0
Mar 9 12:22:19: RADIUS: Received from id 79
171.68.120.194:1646, Accounting-response,
len 20
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Start.
Her address 0.0.0.0, we want 10.1.6.1
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Processing
AV service=ppp
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Authorization
succeeded
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Done.
Her address 0.0.0.0, we want 10.1.6.1
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Start.
Her address 10.1.6.1, we want 10.1.6.1
Mar 9 12:22:19: AAA/AUTHOR/IPCP Vi1 (2909132255):
Port='Virtual-Access1' list='' service=NET
Mar 9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)
user='cse@cisco.com'
Mar 9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)
send AV service=ppp
Mar 9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)
send AV protocol=ip
Mar 9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)
send AV addr*10.1.6.1
Mar 9 12:22:19: AAA/AUTHOR/IPCP (2909132255)
found list "default"
Mar 9 12:22:19: AAA/AUTHOR/IPCP: Vi1 (2909132255)
Method=RADIUS
Mar 9 12:22:19: AAA/AUTHOR (2909132255): Post
authorization status = PASS_REPL
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Reject
10.1.6.1, using 10.1.6.1
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Processing
AV service=ppp
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Processing
AV addr*10.1.6.1
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Authorization
succeeded
Mar 9 12:22:19: Vi1 AAA/AUTHOR/IPCP: Done.
Her address 10.1.6.1, we want 10.1.6.1
02:24:00: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Virtual-Access1, changed state to up
LNS#





The following is a list of problems that you may encounter on the LNS side for VPDN:

Tunnel ID for LAC is missing or misconfigured You must ensure that the proper Tunnel ID is configured for LAC. In this case study, you must have already configured "accept dialing l2tp virtual-template 1 remote DOHA" on the LNS; otherwise, you will receive a debug message as shown in Example 9-37.

Example 9-37. debug Message When Tunnel ID is Misconfigured or Not Configured
LNS#
Mar 9 13:45:32: L2TP: I SCCRQ from DOHA tnl 62
Mar 9 13:45:32: L2X: Never heard of DOHA
Mar 9 13:45:32: L2TP: Could not find info block for DOHA
LNS#





Tunnel password mismatch If there is a password mismatch between the LAC and LNS, you will get the same message as you did for the LAC router as shown in Example 9-34.

Actual user authentication failure Actual user authentication occurs at the LNS router. Hence, if the LNS RADIUS Server is not configured with the proper username and password, then although the VPDN tunnel may become built up, the user will still not be able to access network resources.

This troubleshooting concludes the case study on VPDN. In the next section, we examine some of the common problems and resolutions.