[cisco-bba] PPPoE & cisco-avpairs

Gordon Smith gsmith at wxc.co.nz
Thu Jul 8 19:56:33 EDT 2004

Hi all,

I've been trying to get RADIUS pass rate-limit attributes to a 7301 that we're going to be using to terminate broadband PPPoE customers on. The radius servers are running freeradius, and we have them successfully sending back multiple cisco-avpair attributes.
Unfortunately, the router is just ignoring them. I found an earlier post from Dennis saying that the use of "virtual-profile aaa" is now deprecated, so thats not it (be nice if the Cisco website had something on that Dennis - I've spent a couple of days trolling through it trying to find out where that commeand went. I should have checked these lists first)

A radius debug shows the attributes coming in to the router:

Jul  9 11:17:40 NZST: RADIUS:  Vendor, Cisco       [26]  106 
Jul  9 11:17:40 NZST: RADIUS:   Cisco AVpair       [1]   100 "lcp:interface-config#1=rate-limit input 32000 2000 2000 conform-action transmit exceed-action drop"
Jul  9 11:17:40 NZST: RADIUS:  Vendor, Cisco       [26]  107 
Jul  9 11:17:40 NZST: RADIUS:   Cisco AVpair       [1]   101 "lcp:interface-config#2=rate-limit output 32000 2000 2000 conform-action transmit exceed-action drop"

but debugging aaa doesn't show the rate-limits being applied. Checking the virtual interface for the user shows that no rate limits are applied. Maybe I'm not seeing the forest for the trees.... been on this for the past several days  :-(
Any input would be appreciated. Here's a copy of the 7301 config, with most of the irrelevent stuff stripped out (ospf, etc):

version 12.3
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
hostname car1
boot system disk0:c7301-is-mz.123-9.bin
logging snmp-authfail
enable secret 5 xxxxxxxxxxxxxxxxxxxx
clock timezone NZST 12
clock summer-time NZST recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
clock calendar-valid
aaa new-model
aaa authentication login old-style line
aaa authentication ppp default group radius
aaa authorization exec default local 
aaa authorization network default if-authenticated 
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
aaa nas port extended
aaa session-id common
ip subnet-zero
ip host-routing
ip cef
vpdn enable
vpdn-group wired
  protocol pppoe
  virtual-template 1
 pppoe limit per-mac 1
 ip pmtu
interface GigabitEthernet0/2
 no ip address
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
interface GigabitEthernet0/2.1030
 description wired_country_data
 encapsulation dot1Q 1030
 pppoe enable
interface Virtual-Template1
 ip unnumbered Loopback0
 ip mtu 1492
 no ip route-cache cef
 no logging event link-status
 peer default ip address pool dynamic
 ppp authentication pap
 ppp ipcp address required
 ppp ipcp address unique
interface Group-Async0
 physical-layer async
 no ip address
ip local pool dynamic
ip classless
ip route 200
ip flow-export version 9
no ip http server
radius-server attribute nas-port format d
radius-server host auth-port 1812 acct-port 1813
radius-server host auth-port 1812 acct-port 1813
radius-server key 7 xxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication


More information about the cisco-bba mailing list