14
AAA for MPLS L3VPNs
You can deploy AAA across VPNs in an MPLS L3VPN scenario where clients in different VPNs are
centrally authenticated. The deployment enables forwarding of RADIUS and HWTACACS packets
across MPLS VPNs. For example, as shown in Figure 10, you can
deploy AAA across the VPNs. The
CEs in VPN 1 and VPN 2 act as NASs. The NASs transparently deliver the AAA packets of private
users in VPN 1 and VPN 2 across the MPLS backbone network to the AAA servers in VPN 3 for
centralized authentication. Authentication packets of private users in different VPNs do not affect
each other.
Figure 10 Network diagram
This feature can also help an MCE to implement portal authentication for VPNs. For more
information about MCE, see MCE Configuration Guide. For more information about portal
authentication, see "Configuring portal authentication."
Protocols and standards
• RFC 2865, Remote Authentication Dial In User Service (RADIUS)
• RFC 2866, RADIUS Accounting
• RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support
• RFC 2868, RADIUS Attributes for Tunnel Protocol Support
• RFC 2869, RADIUS Extensions
• RFC 5176, Dynamic Authorization Extensions to Remote Authentication Dial In User Service
(RADIUS)
• RFC 1492, An Access Control Protocol, Sometimes Called TACACS
• RFC 1777, Lightweight Directory Access Protocol
• RFC 2251, Lightweight Directory Access Protocol (v3)
RADIUS attributes
Commonly used standard RADIUS attributes
No. Attribute Description
1 User-Name Name of the user to be authenticated.
2 User-Password
User password for PAP authentication, only present in Access-Request
packets when PAP authentication is used.
P
MPLS backbone
PE
PE
CE
CE
CE
VPN 1
VPN 2
VPN 3
RADIUS
server
HWTACACS
server
Host
Host
NAS
To Next Page
Loading...
Need help?
General