cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
681
Views
0
Helpful
4
Replies

PPPoA connections associated with a VRF using a Radius Server

rmontoto
Level 1
Level 1

We have a PE (Cisco 7600) with several ADSL-CPEs connected by PPPoA. These PPPoA connections are authenticated/authorizared by an Radius-Server (Cisco Secure

ACS v4.1) running on a Windows machine.

So, these PPPoA connections are Virtual-Access cloned from a Virtual-Template

We want the Radius to associate these virtual-access with a vrf, I mean, each ADSL-CPE has its own user in radius and its Virtual-access will be asociated

with its vrf depending of the user.

We succesfully authenticate the CPEs and even the radius inserts static routes associated in a per-user basis but the vrf association fails

In the configuration of the user in radius (Cisco IOS/PIX 6.x RADIUS Attributes) we have the following:

lcp:interface-config=ip vrf forwarding PROBA

lcp:interface-config=ip unnumbered loopback1

ip:route=vrf PROBA 69.51.218.0 255.255.255.0 10.81.18.136

ip:route=vrf VPN-ToIP 10.151.218.0 255.255.255.0 10.112.2.2

This is the configuration of the PE

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login consola none

aaa authentication enable default group tacacs+ enable

aaa authentication ppp CPEs-ADSL-PPPoA local group radius

aaa authorization exec default if-authenticated

aaa authorization network CPEs-ADSL-PPPoA group radius none

aaa session-id common

!

...

!

ip radius source-interface Loopback0

radius-server attribute 44 include-in-access-req

radius-server host 69.50.2.135 auth-port 1812 acct-port 1813 key <removed>

radius-server vsa send accounting

radius-server vsa send authentication

!

vc-class atm ADSL-Class-ToIP

vbr-nrt 2000 2000 32

inarp 1

tx-ring-limit 3

no ilmi manage

oam-pvc manage 5

oam retry 4 4 5

encapsulation aal5mux ppp Virtual-Template112

!

interface Virtual-Template112

bandwidth 1800

ip unnumbered Loopback1

logging event link-status

load-interval 30

no peer default ip address

ppp authentication chap CPEs-ADSL-PPPoA

ppp authorization CPEs-ADSL-PPPoA

ppp multilink

ppp multilink fragment-delay 10

ppp multilink interleave

service-policy output Encolado-ADSL-ToIP

!

interface ATM1/0/0.238 multipoint

description PRS2-218A ADSL CPE

no ip mroute-cache

logging event subif-link-status

no atm enable-ilmi-trap

pvc 0/238

class-vc ADSL-Class-ToIP

oam-pvc manage

!

!

--

You can see the output of a debug radius in the attached file

any idea?? What we ar doing wrong??

4 Replies 4

attrgautam
Level 5
Level 5

This is something I have seen as well and we assumed this was because of this reason -

The framed IP address is returned to the PE Router first and then the VRF, so when the VRF is tagged to the interface, the IP is knocked off and hence the user doesnt connect. I am sure when troubleshooting if you dont return the VRF, I am sure it must be working fine.

So the thing to be done is the IP address is re-negotiated after the VRF is returned. The standard configuration we do on the RADIUS for this setup is as follows -

Service-Type = Framed,

Framed-Protocol = PPP,

Cisco-AVpair = "lcp:interface-config=ip vrf forwarding VRF-NAME\nip address negotiated",

Framed-IP-Address = 10.10.10.5

Let me know if this solves your issue

First of all thanks a lot for your help.

I am afraid your suggestion did not solve our issue.

It seems the router does not understand "lcp:interface-config"

Can I suggest the following -

Remove this attribute lcp:interface-config=ip unnumbered loopback1

and use

lcp:interface-config=ip address negotiated

I think it's the same suggestion as before.

Anyway I've tried and it does not work

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: