[cisco-bba] PPPoE & cisco-avpairs

Gordon Smith gsmith at wxc.co.nz
Thu Jul 8 19:56:33 EDT 2004 

Hi all,

I've been trying to get RADIUS pass rate-limit attributes to a 7301 that we're going to be using to terminate broadband PPPoE customers on. The radius servers are running freeradius, and we have them successfully sending back multiple cisco-avpair attributes.
Unfortunately, the router is just ignoring them. I found an earlier post from Dennis saying that the use of "virtual-profile aaa" is now deprecated, so thats not it (be nice if the Cisco website had something on that Dennis - I've spent a couple of days trolling through it trying to find out where that commeand went. I should have checked these lists first)

A radius debug shows the attributes coming in to the router:

Jul  9 11:17:40 NZST: RADIUS:  Vendor, Cisco       [26]  106 
Jul  9 11:17:40 NZST: RADIUS:   Cisco AVpair       [1]   100 "lcp:interface-config#1=rate-limit input 32000 2000 2000 conform-action transmit exceed-action drop"
Jul  9 11:17:40 NZST: RADIUS:  Vendor, Cisco       [26]  107 
Jul  9 11:17:40 NZST: RADIUS:   Cisco AVpair       [1]   101 "lcp:interface-config#2=rate-limit output 32000 2000 2000 conform-action transmit exceed-action drop"

but debugging aaa doesn't show the rate-limits being applied. Checking the virtual interface for the user shows that no rate limits are applied. Maybe I'm not seeing the forest for the trees.... been on this for the past several days  :-(
Any input would be appreciated. Here's a copy of the 7301 config, with most of the irrelevent stuff stripped out (ospf, etc):


version 12.3
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname car1
!
boot-start-marker
boot system disk0:c7301-is-mz.123-9.bin
boot-end-marker
!
logging snmp-authfail
enable secret 5 xxxxxxxxxxxxxxxxxxxx
!
clock timezone NZST 12
clock summer-time NZST recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
clock calendar-valid
aaa new-model
!
!
aaa authentication login old-style line
aaa authentication ppp default group radius
aaa authorization exec default local 
aaa authorization network default if-authenticated 
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
aaa nas port extended
aaa session-id common
ip subnet-zero
ip host-routing
!
!
ip cef
!
vpdn enable
!
vpdn-group wired
 accept-dialin
  protocol pppoe
  virtual-template 1
 pppoe limit per-mac 1
 ip pmtu
!
!
!
interface GigabitEthernet0/2
 no ip address
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!
interface GigabitEthernet0/2.1030
 description wired_country_data
 encapsulation dot1Q 1030
 pppoe enable
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip mtu 1492
 no ip route-cache cef
 no logging event link-status
 peer default ip address pool dynamic
 ppp authentication pap
 ppp ipcp address required
 ppp ipcp address unique
!
interface Group-Async0
 physical-layer async
 no ip address
!
!
ip local pool dynamic 202.182.203.1 202.182.203.254
ip classless
ip route 0.0.0.0 0.0.0.0 202.182.192.129 200
ip flow-export version 9
no ip http server
!         
!
!
!
radius-server attribute nas-port format d
radius-server host 202.182.193.3 auth-port 1812 acct-port 1813
radius-server host 202.182.192.3 auth-port 1812 acct-port 1813
radius-server key 7 xxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
!


Cheers,
Gordon

More information about the cisco-bba mailing list