Cisco Cisco IOS Software Release 12.2(1)DX
Per VRF AAA
Feature Overview
2
Cisco IOS Release 12.2(1)DX
If an AAA configuration, such as a method list, is uniquely defined many times across the network access
server (NAS), the specification of an AAA server that is based on IP addresses and port numbers may
create an overlapping of private addresses between VRFs. Securing AAA method lists to a VRF can be
accomplished from one or more of the following sources:
server (NAS), the specification of an AAA server that is based on IP addresses and port numbers may
create an overlapping of private addresses between VRFs. Securing AAA method lists to a VRF can be
accomplished from one or more of the following sources:
•
Virtual Template—Used as a generic interface configuration.
•
Service Provider AAA server—Used to associate a remote user with a specific VPN based on the
domain name or Dialed Number Identification Service (DNIS). The server then provides the
VPN-specific configuration for the virtual access interface, which includes the IP address and port
number of the customer AAA server.
domain name or Dialed Number Identification Service (DNIS). The server then provides the
VPN-specific configuration for the virtual access interface, which includes the IP address and port
number of the customer AAA server.
•
Customer VPN AAA server—Used to authenticate the remote user and to provide user-specific
configurations for the virtual access interface.
configurations for the virtual access interface.
Note
Global AAA accounting configurations and some AAA protocol-specific parameters cannot be
logically grouped under the Virtual Template configuration.
logically grouped under the Virtual Template configuration.
AAA Server Configurations
To prevent possible overlapping of private addresses between VRFs, AAA servers must be defined in a
single global pool that is to be used in the server groups. Servers can no longer be uniquely identified by
IP addresses and port numbers.
single global pool that is to be used in the server groups. Servers can no longer be uniquely identified by
IP addresses and port numbers.
“Private” servers (servers with private addresses within the default server group that contains all the
servers) can be defined within the server group and remain hidden from other groups. The list of servers
in server groups includes references to the hosts in the global configuration as well as the definitions of
private servers.
servers) can be defined within the server group and remain hidden from other groups. The list of servers
in server groups includes references to the hosts in the global configuration as well as the definitions of
private servers.
Note
If private server parameters are not specified, global configurations are used. If global configurations
are not specified, default values are used.
are not specified, default values are used.
All server operational parameters can be configured per host, per server group, or globally. Per-host
configurations have precedence over per-server group configurations. Per-server group
configurations have precedence over global configurations.
configurations have precedence over per-server group configurations. Per-server group
configurations have precedence over global configurations.
Benefits
Per VRF AAA Configuration Support
Using the Per VRF AAA feature, ISPs can partition AAA services based on VRF. AAA services are
provided on a per-VRF basis. ISPs can allow their customers to control their own AAA services as well
as their own networks.
provided on a per-VRF basis. ISPs can allow their customers to control their own AAA services as well
as their own networks.
Server Group List Extension
The list of servers in server groups is extended to include the definitions of private servers in addition to
references to the hosts in the global configuration.
references to the hosts in the global configuration.