09-23-2013 07:10 AM
Hi,
I have read and try these guides
https://supportforums.cisco.com/docs/DOC-23170
https://supportforums.cisco.com/docs/DOC-19702
https://supportforums.cisco.com/docs/DOC-19726
But have some problems , here is my config ( almost same like the guides )
radius-server host xxx.xxx.xxx.46 auth-port 1812 acct-port 1813
!
aaa server radius dynamic-author
port 3799
client yyy.yyy.yyy.102 vrf default
!
client xxx.xxx.xxx.46 vrf default
!
aaa attribute format MY_AUTH
mac-address
!
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
!
!
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa group server radius RADIUS_GR
server xxx.xxx.xxx.46 auth-port 1812 acct-port 1813
source-interface Loopback0
!
aaa authorization network default group RADIUS_GR
aaa accounting subscriber default group RADIUS_GR
aaa authorization subscriber AUTH_GR group RADIUS_GR
aaa authorization subscriber default group RADIUS_GR
aaa authorization subscriber RADIUS_GR group RADIUS_GR
aaa authentication subscriber default group RADIUS_GR
aaa accounting update periodic 10
dhcp ipv4
profile IP_DEFAULT proxy
class IP_DEFAULT
helper-address vrf default yyy.yyy.yyy.102 giaddr zzz.zzz.zzz.1
!
helper-address vrf default yyy.yyy.yyy.102 giaddr zzz.zzz.zzz.1
relay information option
relay information policy keep
relay information option allow-untrusted
!
interface Bundle-Ether100.361 proxy profile IP_DEFAULT
!
ipv4 access-list PERM_ALL
10 permit ipv4 any any
20 permit icmp any any
30 permit ipv4 any any
!
interface Bundle-Ether100
bundle load-balancing hash dst-ip
!
!
interface Bundle-Ether100.361
ipv4 point-to-point
ipv4 unnumbered Loopback100
service-policy type control subscriber IP_PM
encapsulation dot1q 361
ipsubscriber ipv4 l2-connected
initiator dhcp
!
!
interface Loopback0
ipv4 address ccc.ccc.ccc.174 255.255.255.255
!
interface Loopback100
description 4dhcp
ipv4 address zzz.zzz.zzz.1 255.255.255.0
!
interface TenGigE0/0/2/0
bundle id 100 mode on
!
interface TenGigE0/0/2/1
!
dynamic-template
type ipsubscriber IPSUB_TPL
ipv4 unnumbered Loopback100
ipv4 access-group PERM_ALL ingress
ipv4 access-group PERM_ALL egress
!
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
!
policy-map type control subscriber IP_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
5 activate dynamic-template IPSUB_TPL
10 authorize aaa list AUTH_GR format MY_AUTH password cisco
!
!
end-policy-map
!
Without service-policy type control subscriber IP_PM on the interface , CPE gets ip address and all works.
The radius server is configured always to autothenticate with access-accept but there are errors
Total Deadtime: 0s Last Deadtime: 0s
Timeout: 5 sec, Retransmit limit: 3
Quarantined: No
Authentication:
468 requests, 1 pending, 154 retransmits
0 accepts, 0 rejects, 0 challenges
204 timeouts, 417 bad responses, 417 bad authenticators
0 unknown types, 417 dropped, 0 ms latest rtt
Throttled: 0 transactions, 0 timeout, 0 failures
Estimated Throttled Access Transactions: 0
Maximum Throttled Access Transactions: 0
The most strange issue is this
000c.42a8.71e2 0.0.0.0 INIT 57 BE100.361 default 0x0
and
RP/0/RSP0/CPU0:Sep 23 17:08:03.507 : dhcpd[1077]: DHCPD ERROR: TP2468: rib route delete failed, null ifhandle or IPv4 address
Here is the subscriber session info
RP/0/RSP0/CPU0:ASR9001#show subscriber session all
Mon Sep 23 17:08:46.995 EET
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, ED - End
Type Interface State Subscriber IP Addr / Prefix
LNS Address (Vrf)
--------------------------------------------------------------------------------
IP:DHCP No CN -
RP/0/RSP0/CPU0:ASR9001#show subscriber session all detail
Mon Sep 23 17:08:48.394 EET
Interface: None
Circuit ID: 000401690107
Remote ID: 0006001ebd7b2f00
Type: IP: DHCP-trigger
IPv4 State: Up Pending, Mon Sep 23 17:08:32 2013
Mac Address: 000c.42a8.71e2
Account-Session Id: 000001e0
Nas-Port: 67114640
User name: unknown
Outer VLAN ID: 361
Subscriber Label: 0x0000005f
Created: Mon Sep 23 17:08:32 2013
State: Connecting
Authentication: unauthenticated
Access-interface: Bundle-Ether100.361
Policy Executed:
policy-map type control subscriber IP_PM
event Session-Start match-first [at Mon Sep 23 17:08:32 2013]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB_TPL [Succeeded]
Session Accounting: disabled
Last COA request received: unavailable
Pending Callbacks:
Waiting for Authorization to complete
Waiting for Authentication response from AAA