ASR1002x PPPoE Subinterface network authorization problem
I have been able to bring up PPPoE services both on the router itself and sending authentication to a free-radius server. Unfortunately when I initiate Network Authorization. PPPoE sessions fail and i receive this error in the debug radius brief logs " %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50
I found one article on this but was unable to replicate the success of it. Below is the config and some debug logs.
! aaa new-model ! ! aaa group server radius RADIUS_SERVER server xx.xx.xx.66 auth-port 1812 acct-port 1813 ! aaa authentication login default local aaa authentication ppp default group RADIUS_SERVER aaa authorization network default group RADIUS_SERVER aaa authorization auth-proxy default group RADIUS_SERVER aaa accounting send stop-record authentication failure aaa accounting send stop-record always aaa accounting delay-start aaa accounting nested aaa accounting update newinfo periodic 60 aaa accounting exec default start-stop group RADIUS_SERVER aaa accounting network default start-stop group RADIUS_SERVER aaa accounting connection default start-stop group RADIUS_SERVER aaa accounting system default action-type start-stop group RADIUS_SERVER ! aaa accounting resource default stop-failure group RADIUS_SERVER ! aaa nas port extended ! ! ! ! aaa session-id common aaa policy interface-config allow-subinterface ! !
The "%FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x7F7C8307C6B0, ifnum= 50" meesage means that the session came up using a full Virtual-Access Interface (VAI). VAI interfaces are not supported on ASR1k platform dur to scalability. Only sub-interfaces are supported. Most likely here, some configuration is forcing the full VAI.
Looking at the radius profile sent for the user I see you are sending "Framed-Compression  6 VJ TCP/IP Header Compressi". Most likely this is forcing the full VAI. Please remove that attribute from the radius profile and try again. Also make sure you have configured "aaa policy interface-config allow-subinterface" in global config.
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
Introduction Basic configuration for netflow Scale parameters for
netflow Netflow support Architecture Packet flow for netflow Inside the
LC CPU Netflow Cache size, maintenance and memory Sample usage Cache
Size Aging Permanent cache Characteristics Which...