[c-nsp] PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c)
Stephen Fulton
cisco-nsp at lists.esoteric.ca
Thu Dec 22 13:11:16 EST 2005
Hello again all,
Taking into account the advice of Robert, Gerald, Oliver, Dean and
Alexandre, I've experimented with different variations. I was able to
have the router verify against the radius server, and I discovered what
one of the issues was. Unfortunately I've hit another brick wall, and
after more attempts, and much reading of lists and Cisco's site, I'm
still stuck. Here is what is occurring:
1. The 7206 authenticates a user "domain.com/cisco" against the radius
server, which fails. Why this is happening, I do not understand. I
can't see a reason in either the documentation I've consulted or my own
understanding of the entire process. Any pointers on this one would be
appreciated.
2. It then attempts to authenticate the PPPoE user, which succeeds. No
IP address is assigned from the pool I've created, and the PPPoE
session disconnects after a moment.
3. Debugging show that while the PPPoE user authenticates correctly,
there is an unknown AUTH attempt by the Virtual-Access3 interface which
fails and (I believe) causes the disconnection. Again, no IP from the
configured IP pool has been assigned.
I've included the debug output and my latest configuration below:
Here's my latest debug:
>> START DEBUG
Dec 22 17:52:51.700: PPPoE 0: I PADI R:0000.24c4.ffc5 L:ffff.ffff.ffff
Fa1/0
Dec 22 17:52:51.700: PPPoE 0: O PADO, R:0000.24c4.ffc5 L:0010.54d8.141c
Fa1/0
Dec 22 17:52:51.984: PPPoE 0: I PADR R:0000.24c4.ffc5 L:0010.54d8.141c
Fa1/0
Dec 22 17:52:51.984: PPPoE : encap string prepared
Dec 22 17:52:51.984: [14]PPPoE 14: Access IE handle allocated
Dec 22 17:52:51.984: [14]PPPoE 14: pppoe SSS switch updated
Dec 22 17:52:51.984: [14]PPPoE 14: AAA get retrieved attrs
Dec 22 17:52:51.984: [14]PPPoE 14: AAA get nas port details
Dec 22 17:52:51.984: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:52:51.984: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:52:51.984: AAA/ACCT/EVENT/(00000011): CALL START
Dec 22 17:52:51.984: [14]PPPoE 14: AAA unique ID allocated
Dec 22 17:52:51.988: AAA/ACCT/SETMLIST(00000011): Handle 0, mlist
63517D5C, Name default
Dec 22 17:52:51.988: AAA/ACCT(00000011): Type NET: Periodic timer
initialized
Dec 22 17:52:51.988: [14]PPPoE 14: AAA method list set
Dec 22 17:52:51.988: [14]PPPoE 14: Service request sent to SSS
Dec 22 17:52:51.988: [14]PPPoE 14: Created R:0010.54d8.141c
L:0000.24c4.ffc5 Fa1/0
Dec 22 17:52:51.988: AAA/ACCT/EVENT/(00000011): ATTR REPLACE
Dec 22 17:52:51.988: [14]PPPoE 14: State REQ_NASPORT Event MORE_KEYS
Dec 22 17:52:51.988: [14]PPPoE 14: O PADS R:0000.24c4.ffc5
L:0010.54d8.141c Fa1/0
Dec 22 17:52:51.988: EVT: Dynamic Bind 0 0x63FF9A1C
Dec 22 17:52:51.988: ppp14 EVT: Bound 4 0x00000000
Dec 22 17:52:51.988: AAA/ACCT/SETMLIST(00000011): Handle 0, mlist
63517D5C, Name default
Dec 22 17:52:51.988: [14]PPPoE 14: State START_PPP Event DYN_BIND
Dec 22 17:52:51.988: [14]PPPoE 14: data path set to PPP
Dec 22 17:52:53.035: ppp14 EVT: Packet 0 0x63659CD8
Dec 22 17:52:53.099: ppp14 EVT: Packet 0 0x63658AF0
Dec 22 17:52:53.099: RADIUS/ENCODE(00000011): check username/password; FAIL
Dec 22 17:52:53.099: RADIUS/ENCODE(00000011): send packet; FAIL
Dec 22 17:52:53.099: ppp14 EVT: AAA Response 0 0x63E74E90
Dec 22 17:52:53.131: ppp14 EVT: Packet 0 0x636590E8
Dec 22 17:52:53.147: ppp14 EVT: Auth Packet 0 0x631921F0
Dec 22 17:52:53.151: ppp14 EVT: Hook 1 0x00000000
Dec 22 17:52:53.151: RADIUS/ENCODE(00000011):Orig. component type = PPoE
Dec 22 17:52:53.151: RADIUS: AAA Unsupported Attr: interface
[153] 7
Dec 22 17:52:53.151: RADIUS: 31 2F 30 2F 30
[1/0/0]
Dec 22 17:52:53.151: RADIUS(00000011): Storing nasport 0 in rad_db
Dec 22 17:52:53.151: RADIUS(00000011): Config NAS IP: xxx.xxx.xxx.xxx
Dec 22 17:52:53.151: RADIUS/ENCODE(00000011): acct_session_id: 17
Dec 22 17:52:53.151: RADIUS(00000011): sending
Dec 22 17:52:53.151: RADIUS(00000011): Send Access-Request to
xxx.xxx.xxx.xxx:1812 id 1645/24, len 77
Dec 22 17:52:53.151: RADIUS: authenticator D3 0F 3D 7F F1 1F 41 19 - 85
65 1E 7C 97 F4 8F 4A
Dec 22 17:52:53.151: RADIUS: User-Name [1] 15 "domain.com"
Dec 22 17:52:53.151: RADIUS: User-Password [2] 18 *
Dec 22 17:52:53.151: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
Dec 22 17:52:53.151: RADIUS: NAS-Port [5] 6 0
Dec 22 17:52:53.151: RADIUS: Service-Type [6] 6 Outbound
[5]
Dec 22 17:52:53.151: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Dec 22 17:52:55.171: RADIUS: Received from id 1645/24
xxx.xxx.xxx.xxx:1812, Access-Reject, len 20
Dec 22 17:52:55.171: RADIUS: authenticator 15 92 F3 93 16 85 E4 E3 - 2E
A4 10 08 C0 18 C9 F7
Dec 22 17:52:55.171: RADIUS(00000011): Received from id 1645/24
Dec 22 17:52:55.175: ppp14 EVT: Hook 1 0x00000000
Dec 22 17:52:55.175: ppp14 EVT: Forwarded 0 0x00000000
Dec 22 17:52:55.175: RADIUS/ENCODE(00000011):Orig. component type = PPoE
Dec 22 17:52:55.175: RADIUS: AAA Unsupported Attr: interface
[153] 7
Dec 22 17:52:55.175: RADIUS: 31 2F 30 2F 30
[1/0/0]
Dec 22 17:52:55.175: RADIUS(00000011): Using existing nas_port 0
Dec 22 17:52:55.175: RADIUS(00000011): Config NAS IP: xxx.xxx.xxx.xxx
Dec 22 17:52:55.175: RADIUS/ENCODE(00000011): acct_session_id: 17
Dec 22 17:52:55.175: RADIUS(00000011): sending
Dec 22 17:52:55.175: RADIUS(00000011): Send Access-Request to
xxx.xxx.xxx.xxx:1812 id 1645/25, len 91
Dec 22 17:52:55.175: RADIUS: authenticator 99 EC F0 28 0F AB 53 A2 - 9B
F5 BF 17 AF 03 74 68
Dec 22 17:52:55.175: RADIUS: Framed-Protocol [7] 6 PPP
[1]
Dec 22 17:52:55.175: RADIUS: User-Name [1] 23
"test at domain.com"
Dec 22 17:52:55.175: RADIUS: User-Password [2] 18 *
Dec 22 17:52:55.175: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
Dec 22 17:52:55.175: RADIUS: NAS-Port [5] 6 0
Dec 22 17:52:55.175: RADIUS: Service-Type [6] 6 Framed
[2]
Dec 22 17:52:55.175: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Dec 22 17:52:55.183: RADIUS: Received from id 1645/25
205.207.122.33:1812, Access-Accept, len 50
Dec 22 17:52:55.183: RADIUS: authenticator 5A B4 1E 4F 0A C2 CC 38 - CB
9D 1A 08 2F AE FC 73
Dec 22 17:52:55.183: RADIUS: Service-Type [6] 6 Framed
[2]
Dec 22 17:52:55.183: RADIUS: Framed-Protocol [7] 6 PPP
[1]
Dec 22 17:52:55.183: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255
Dec 22 17:52:55.183: RADIUS: Framed-IP-Address [8] 6 255.255.255.254
Dec 22 17:52:55.183: RADIUS: Framed-Compression [13] 6 VJ TCP/IP
Header Compressi[1]
Dec 22 17:52:55.183: RADIUS(00000011): Received from id 1645/25
Dec 22 17:52:55.183: ppp14 EVT: AAA Response 0 0x63E74E90
Dec 22 17:52:55.187: ppp14 EVT: Hook 1 0x00000000
Dec 22 17:52:55.187: [14]PPPoE 14: State LCP_NEGO Event PPP_LOCAL
Dec 22 17:52:55.187: PPPoE 14: Can not use sub-interface
Dec 22 17:52:55.187: Vi3 Debug: Condition 1, interface Vt1 triggered,
count 2
Dec 22 17:52:55.191: Vi3 EVT: Setup 0 0x00000000
Dec 22 17:52:55.191: [14]PPPoE 14: State CREATE_VA Event VA_RESP
Dec 22 17:52:55.191: [14]PPPoE 14: Vi3 interface obtained
Dec 22 17:52:55.191: EVT: Static Bind 0 0x63FF9A1C
Dec 22 17:52:55.191: Vi3 EVT: Free PPP 0 0x00000000
Dec 22 17:52:55.191: [14]PPPoE 14: State PTA_BIND Event STAT_BIND
Dec 22 17:52:55.191: [14]PPPoE 14: data path set to Virtual Acess
Dec 22 17:52:55.191: [14]PPPoE 14: Connected PTA
Dec 22 17:52:55.195: %LINK-3-UPDOWN: Interface Virtual-Access3, changed
state to up
Dec 22 17:52:55.195: Vi3 EVT: Hook 1 0x00000000
Dec 22 17:52:55.195: Vi3 EVT: Forwarded 0 0x00000000
Dec 22 17:52:55.195: Vi3 AAA/AUTHOR/LCP: Process Author
Dec 22 17:52:55.195: Vi3 AAA/AUTHOR/LCP: Process Attr: service-type
Dec 22 17:52:55.195: Vi3 AAA/AUTHOR/LCP: Process Attr: link-compression
Dec 22 17:52:55.195: Vi3 AAA/AUTHOR/LCP: IF_config:
ip tcp header-compression
Dec 22 17:52:55.195: Vi3 PAP: O AUTH-ACK id 1 len 5
Dec 22 17:52:56.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access3, changed state to up
Dec 22 17:53:03.099: Vi3 AUTH: Timeout 1
Dec 22 17:53:13.115: Vi3 AUTH: Timeout 2
Dec 22 17:53:23.131: Vi3 AUTH: Timeout 3
Dec 22 17:53:23.151: Vi3 EVT: Packet 0 0x631924EC
Dec 22 17:53:33.147: Vi3 AUTH: Timeout 4
Dec 22 17:53:43.163: Vi3 AUTH: Timeout 5
Dec 22 17:53:53.175: Vi3 EVT: Packet 0 0x63194BB8
Dec 22 17:53:53.179: Vi3 AUTH: Timeout 6
Dec 22 17:54:03.195: Vi3 AUTH: Timeout 7
Dec 22 17:54:13.211: Vi3 AUTH: Timeout 8
Dec 22 17:54:23.202: Vi3 EVT: Packet 0 0x631930DC
Dec 22 17:54:23.226: Vi3 AUTH: Timeout 9
Dec 22 17:54:33.242: Vi3 AUTH: Timeout 10
Dec 22 17:54:43.258: Vi3 AUTH: Timeout 11
Dec 22 17:54:43.258: Vi3 EVT: Soft Disc 0 0x00000000
Dec 22 17:54:43.258: AAA/ACCT/SETMLIST(00000011): Handle 0, mlist
63517D5C, Name default
Dec 22 17:54:43.258: AAA/ACCT/EVENT/(00000011): NET DOWN
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: AAA/ACCT/EVENT/(00000011): CALL STOP
Dec 22 17:54:43.318: Vi3 EVT: Packet 0 0x63195DA0
Dec 22 17:54:43.318: Vi3 EVT: Free PPP 0 0x00000000
Dec 22 17:54:43.318: [14]PPPoE 14: State CNCT_PTA Event PPP_DISCNCT
Dec 22 17:54:43.318: [14]PPPoE 14: O PADT R:0000.24c4.ffc5
L:0010.54d8.141c Fa1/0
Dec 22 17:54:43.318: [14]PPPoE 14: Destroying R:0000.24c4.ffc5
L:0010.54d8.141c Fa1/0
Dec 22 17:54:43.318: PPPoE: Returning Vaccess Virtual-Access3
Dec 22 17:54:43.318: AAA/ACCT/EVENT/(00000011): NET DOWN
Dec 22 17:54:43.318: [14]PPPoE 14: AAA account stopped
Dec 22 17:54:43.322: %LINK-3-UPDOWN: Interface Virtual-Access3, changed
state to down
Dec 22 17:54:43.394: PPPoE 14: I PADT R:0000.24c4.ffc5 L:0010.54d8.141c
Fa1/0
Dec 22 17:54:44.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access3, changed state to down
Dec 22 17:54:44.258: Vi3 Debug: Condition 1, interface Vt1 cleared, count 1
<< END DEBUG
Now the configuration:
>> START CONFIG:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname nc-frt-bas1
!
boot-start-marker
boot bootstrap disk0:/c7200-boot-mz.120-22.bin
boot system disk0:/c7200-is-mz.123-9c.bin
boot-end-marker
!
logging buffered 65536 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius tor-radius
server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
server-private xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key
<password>
ip radius source-interface FastEthernet0/0
!
aaa authentication login default line
aaa authentication ppp default group tor-radius
aaa authorization network default group tor-radius
aaa accounting update periodic 240
aaa accounting network default start-stop group tor-radius
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
no ip domain lookup
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
description PPPoE
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit max-sessions 1000
!
interface Loopback1
description IP Range lockdown for pppoe assignments
ip address xxx.xxx.xxx.xxx 255.255.255.224
!
interface FastEthernet0/0
ip address xxx.xxx.xxx.xxx 255.255.255.240
no ip mroute-cache
duplex full
media-type mii
!
interface FastEthernet1/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex full
pppoe enable
no cdp enable
!
interface Virtual-Template1
ip unnumbered Loopback1
ip tcp adjust-mss 1420
ip mroute-cache
peer default ip address pool pppoepool
ppp max-bad-auth 3
ppp mtu adaptive
ppp authentication pap
!
!
ip local pool pppoepool 192.168.100.130 198.168.100.150
ip classless
no ip http server
!
dial-peer cor custom
!
gatekeeper
shutdown
!
>> END CONFIG
Thanks again.
-- Stephen
More information about the cisco-nsp
mailing list