5-27
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server
L2TP Network Server
Named Method Lists
To configure authentication, authorization, and accounting (AAA), you first define a named list of
methods and then apply that list to various interfaces. The named method list defines the types of
authentication or accounting to be performed and the sequence in which they will be performed. You
must apply the method list to a specific interface before any defined authentication methods are
performed. The only exception is the default method list, which is automatically applied to all interfaces
except those that have a named method list explicitly defined. A defined method list overrides the default
method list.
An authentication method list lists the methods to be queried to authenticate users. An accounting
method list lists the methods used to support accounting. Method lists enable you to designate one or
more security protocols to be used for authentication or accounting, thus ensuring a backup system for
authentication or accounting in case the initial method fails. Cisco IOS software uses the first listed
method to authenticate users or to support accounting. If that method fails to respond, the Cisco IOS
software selects the next authentication or accounting method listed in the method list. This process
continues until successful communication with a listed authentication or accounting method occurs, or
all methods defined in the method list are exhausted.
The Cisco IOS software attempts authentication with the next listed authentication method only when
there is no response from the previous method. If authentication fails at any point in this cycle (for
example, the RADIUS server responds by denying user access), the authentication process stops and no
other authentication methods are attempted.
For more information, see the “Configuring Authentication” chapter in the
Cisco IOS Security
Configuration Guide, Release 12.2
.
Framed-Route VRF Aware
The Framed-Route VRF aware feature allows you to apply static IP routes to a specific VRF table instead
of the global routing table. This feature makes RADIUS Attribute 22 (Framed-Route) and a combination
of Attribute 8 (Framed-IP-Address) and Attribute 9 (Framed-IP-Netmask) aware of VRF instances.
You can configure a per-user static route by using the Framed-Route attribute in any of the following
ways:
•
Using the Cisco
route
command
•
Using the RADIUS Framed-Route attribute
Note
When the PE router receives a Framed-Route attribute from the RADIUS server, the PE
determines if the user is a VPN customer. If so, then the static route is implemented in the
VRF routing table to which the user belongs.
•
Using the RADIUS Framed-IP-Address or Framed-IP-Netmask attribute
Note
The Framed-IP-Netmask attribute has the same function as the Framed-Route attribute.