[cisco-bba] PPPoE & cisco-avpairs

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Fri Jul 9 01:34:53 EDT 2004


Hi Gordon,

can you try "aaa authorization network default group radius"? With your
current authorization configuration, you are not using Radius to
authorize your PPP connections (and applying any attributes to the
connection is done during the authorization phase).

	oli

Gordon Smith <> wrote on Friday, July 09, 2004 1:57 AM:

> Hi all,
> 
> I've been trying to get RADIUS pass rate-limit attributes to a 7301
> that we're going to be using to terminate broadband PPPoE customers
> on. The radius servers are running freeradius, and we have them
> successfully sending back multiple cisco-avpair attributes.   
> Unfortunately, the router is just ignoring them. I found an earlier
> post from Dennis saying that the use of "virtual-profile aaa" is now
> deprecated, so thats not it (be nice if the Cisco website had
> something on that Dennis - I've spent a couple of days trolling
> through it trying to find out where that commeand went. I should have
> checked these lists first)     
> 
> A radius debug shows the attributes coming in to the router:
> 
> Jul  9 11:17:40 NZST: RADIUS:  Vendor, Cisco       [26]  106
> Jul  9 11:17:40 NZST: RADIUS:   Cisco AVpair       [1]   100
> "lcp:interface-config#1=rate-limit input 32000 2000 2000
> conform-action transmit exceed-action drop"  
> Jul  9 11:17:40 NZST: RADIUS:  Vendor, Cisco       [26]  107
> Jul  9 11:17:40 NZST: RADIUS:   Cisco AVpair       [1]   101
> "lcp:interface-config#2=rate-limit output 32000 2000 2000
> conform-action transmit exceed-action drop"  
> 
> but debugging aaa doesn't show the rate-limits being applied.
> Checking the virtual interface for the user shows that no rate limits
> are applied. Maybe I'm not seeing the forest for the trees.... been
> on this for the past several days  :-(   
> Any input would be appreciated. Here's a copy of the 7301 config,
> with most of the irrelevent stuff stripped out (ospf, etc): 
> 
> 
> version 12.3
> no service pad
> service timestamps debug datetime localtime show-timezone
> service timestamps log datetime localtime show-timezone
> service password-encryption
> !
> hostname car1
> !
> boot-start-marker
> boot system disk0:c7301-is-mz.123-9.bin
> boot-end-marker
> !
> logging snmp-authfail
> enable secret 5 xxxxxxxxxxxxxxxxxxxx
> !
> clock timezone NZST 12
> clock summer-time NZST recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
> clock calendar-valid
> aaa new-model
> !
> !
> aaa authentication login old-style line
> aaa authentication ppp default group radius
> aaa authorization exec default local
> aaa authorization network default if-authenticated
> aaa accounting update periodic 5
> aaa accounting network default start-stop group radius
> aaa nas port extended
> aaa session-id common
> ip subnet-zero
> ip host-routing
> !
> !
> ip cef
> !
> vpdn enable
> !
> vpdn-group wired
>  accept-dialin
>   protocol pppoe
>   virtual-template 1
>  pppoe limit per-mac 1
>  ip pmtu
> !
> !
> !
> interface GigabitEthernet0/2
>  no ip address
>  duplex full
>  speed 100
>  media-type rj45
>  no negotiation auto
> !
> interface GigabitEthernet0/2.1030
>  description wired_country_data
>  encapsulation dot1Q 1030
>  pppoe enable
> !
> interface Virtual-Template1
>  ip unnumbered Loopback0
>  ip mtu 1492
>  no ip route-cache cef
>  no logging event link-status
>  peer default ip address pool dynamic
>  ppp authentication pap
>  ppp ipcp address required
>  ppp ipcp address unique
> !
> interface Group-Async0
>  physical-layer async
>  no ip address
> !
> !
> ip local pool dynamic 202.182.203.1 202.182.203.254
> ip classless
> ip route 0.0.0.0 0.0.0.0 202.182.192.129 200
> ip flow-export version 9
> no ip http server
> !
> !
> !
> !
> radius-server attribute nas-port format d
> radius-server host 202.182.193.3 auth-port 1812 acct-port 1813
> radius-server host 202.182.192.3 auth-port 1812 acct-port 1813
> radius-server key 7 xxxxxxxxxxxxxxxxxxx
> radius-server vsa send accounting
> radius-server vsa send authentication
> !
> 
> 
> Cheers,
> Gordon
> 
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba



More information about the cisco-bba mailing list