AAA for MPLS L3VPNs

In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs. With this feature, the PE at the left side of the MPLS backbone serves as a NAS and transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication, as shown in Figure 9. Authentication packets of private users in different VPNs do not affect each other.

Figure 9: Network diagram


[NOTE: ]

NOTE:

This feature can help a multi-VPN-instance CE to implement portal authentication for VPNs. For more information about multi-VPN-instance CEs, see MPLS Configuration Guide. For more information about portal authentication, see "Configuring portal authentication."