[cisco-bba] PPPoE & cisco-avpairs
Gordon Smith
gsmith at wxc.co.nz
Thu Jul 8 19:56:33 EDT 2004
Hi all,
I've been trying to get RADIUS pass rate-limit attributes to a 7301 that we're going to be using to terminate broadband PPPoE customers on. The radius servers are running freeradius, and we have them successfully sending back multiple cisco-avpair attributes.
Unfortunately, the router is just ignoring them. I found an earlier post from Dennis saying that the use of "virtual-profile aaa" is now deprecated, so thats not it (be nice if the Cisco website had something on that Dennis - I've spent a couple of days trolling through it trying to find out where that commeand went. I should have checked these lists first)
A radius debug shows the attributes coming in to the router:
Jul 9 11:17:40 NZST: RADIUS: Vendor, Cisco [26] 106
Jul 9 11:17:40 NZST: RADIUS: Cisco AVpair [1] 100 "lcp:interface-config#1=rate-limit input 32000 2000 2000 conform-action transmit exceed-action drop"
Jul 9 11:17:40 NZST: RADIUS: Vendor, Cisco [26] 107
Jul 9 11:17:40 NZST: RADIUS: Cisco AVpair [1] 101 "lcp:interface-config#2=rate-limit output 32000 2000 2000 conform-action transmit exceed-action drop"
but debugging aaa doesn't show the rate-limits being applied. Checking the virtual interface for the user shows that no rate limits are applied. Maybe I'm not seeing the forest for the trees.... been on this for the past several days :-(
Any input would be appreciated. Here's a copy of the 7301 config, with most of the irrelevent stuff stripped out (ospf, etc):
version 12.3
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname car1
!
boot-start-marker
boot system disk0:c7301-is-mz.123-9.bin
boot-end-marker
!
logging snmp-authfail
enable secret 5 xxxxxxxxxxxxxxxxxxxx
!
clock timezone NZST 12
clock summer-time NZST recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
clock calendar-valid
aaa new-model
!
!
aaa authentication login old-style line
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
aaa nas port extended
aaa session-id common
ip subnet-zero
ip host-routing
!
!
ip cef
!
vpdn enable
!
vpdn-group wired
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit per-mac 1
ip pmtu
!
!
!
interface GigabitEthernet0/2
no ip address
duplex full
speed 100
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2.1030
description wired_country_data
encapsulation dot1Q 1030
pppoe enable
!
interface Virtual-Template1
ip unnumbered Loopback0
ip mtu 1492
no ip route-cache cef
no logging event link-status
peer default ip address pool dynamic
ppp authentication pap
ppp ipcp address required
ppp ipcp address unique
!
interface Group-Async0
physical-layer async
no ip address
!
!
ip local pool dynamic 202.182.203.1 202.182.203.254
ip classless
ip route 0.0.0.0 0.0.0.0 202.182.192.129 200
ip flow-export version 9
no ip http server
!
!
!
!
radius-server attribute nas-port format d
radius-server host 202.182.193.3 auth-port 1812 acct-port 1813
radius-server host 202.182.192.3 auth-port 1812 acct-port 1813
radius-server key 7 xxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
!
Cheers,
Gordon
More information about the cisco-bba
mailing list