PPPoA connections associated with a VRF using a Radius Server

Unanswered Question
Jan 31st, 2008

We have a PE (Cisco 7600) with several ADSL-CPEs connected by PPPoA. These PPPoA connections are authenticated/authorizared by an Radius-Server (Cisco Secure

ACS v4.1) running on a Windows machine.

So, these PPPoA connections are Virtual-Access cloned from a Virtual-Template

We want the Radius to associate these virtual-access with a vrf, I mean, each ADSL-CPE has its own user in radius and its Virtual-access will be asociated

with its vrf depending of the user.

We succesfully authenticate the CPEs and even the radius inserts static routes associated in a per-user basis but the vrf association fails

In the configuration of the user in radius (Cisco IOS/PIX 6.x RADIUS Attributes) we have the following:

lcp:interface-config=ip vrf forwarding PROBA

lcp:interface-config=ip unnumbered loopback1

ip:route=vrf PROBA

ip:route=vrf VPN-ToIP

This is the configuration of the PE

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login consola none

aaa authentication enable default group tacacs+ enable

aaa authentication ppp CPEs-ADSL-PPPoA local group radius

aaa authorization exec default if-authenticated

aaa authorization network CPEs-ADSL-PPPoA group radius none

aaa session-id common




ip radius source-interface Loopback0

radius-server attribute 44 include-in-access-req

radius-server host auth-port 1812 acct-port 1813 key <removed>

radius-server vsa send accounting

radius-server vsa send authentication


vc-class atm ADSL-Class-ToIP

vbr-nrt 2000 2000 32

inarp 1

tx-ring-limit 3

no ilmi manage

oam-pvc manage 5

oam retry 4 4 5

encapsulation aal5mux ppp Virtual-Template112


interface Virtual-Template112

bandwidth 1800

ip unnumbered Loopback1

logging event link-status

load-interval 30

no peer default ip address

ppp authentication chap CPEs-ADSL-PPPoA

ppp authorization CPEs-ADSL-PPPoA

ppp multilink

ppp multilink fragment-delay 10

ppp multilink interleave

service-policy output Encolado-ADSL-ToIP


interface ATM1/0/0.238 multipoint

description PRS2-218A ADSL CPE

no ip mroute-cache

logging event subif-link-status

no atm enable-ilmi-trap

pvc 0/238

class-vc ADSL-Class-ToIP

oam-pvc manage




You can see the output of a debug radius in the attached file

any idea?? What we ar doing wrong??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
attrgautam Thu, 01/31/2008 - 22:23

This is something I have seen as well and we assumed this was because of this reason -

The framed IP address is returned to the PE Router first and then the VRF, so when the VRF is tagged to the interface, the IP is knocked off and hence the user doesnt connect. I am sure when troubleshooting if you dont return the VRF, I am sure it must be working fine.

So the thing to be done is the IP address is re-negotiated after the VRF is returned. The standard configuration we do on the RADIUS for this setup is as follows -

Service-Type = Framed,

Framed-Protocol = PPP,

Cisco-AVpair = "lcp:interface-config=ip vrf forwarding VRF-NAME\nip address negotiated",

Framed-IP-Address =

Let me know if this solves your issue

rmontoto Fri, 02/01/2008 - 02:12

First of all thanks a lot for your help.

I am afraid your suggestion did not solve our issue.

It seems the router does not understand "lcp:interface-config"

attrgautam Fri, 02/01/2008 - 02:25

Can I suggest the following -

Remove this attribute lcp:interface-config=ip unnumbered loopback1

and use

lcp:interface-config=ip address negotiated

rmontoto Fri, 02/01/2008 - 04:39

I think it's the same suggestion as before.

Anyway I've tried and it does not work



This Discussion