AAA Authentication and VRF-Lite

Answered Question

Hi!


I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.


The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).


Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:



--> Config Begins <---


aaa new-model

!

!

aa group server radius radius-auth

server x.x.4.23 auth-port 1645 acct-port 1646

server x.x.7.139 auth-port 1645 acct-port 1646

!

aaa authentication login default group radius-auth local

aaa authentication enable default group radius-auth enable

...

radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>

radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>


...


ip radius source-interface <outside-if> vrf 10


---> Config Ends <---


The VRF-Lite instance is configured like this:


---> Config Begins <---


ip vrf 10

rd 65001:10


---> Config Ends <---


Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.


I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

Correct Answer by artegall1 about 9 years 1 month ago

It may be necessary to include a vrf-forwarding command in the server group config as follows:

aaa group server radius radius-auth

server-private x.x.x.x auth-port 1645 acct-port

1646 key ww

ip vrf forwarding 10


See the following doc for more details:

http://www.cisco.com/en/US/partner/docs/ios/12_4/secure/configuration/guide/hvrfaaa.html

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Camarsi91 Fri, 02/21/2014 - 22:44
User Badges:

Just wanted to help future people as some of the answers I found here were confusing.


This is all you need from the AAA perspective:


aaa new-model

!

!

aaa group server radius RADIUS-VRF-X

server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475

ip vrf forwarding X

!        

aaa authentication login default group RADIUS-VRF-X local

aaa authorization exec default group X local if-authenticated




Per VRF AAA reference:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

Actions

This Discussion