[cisco-bba] PPPoE & Cisco
Dennis Peng
dpeng at cisco.com
Thu Mar 31 13:53:05 EST 2005
How do you know the rate-limit isn't being applied? Can you do a "show
run int virtual-acces X" after the session comes up? It is normal to
see the "not applied" debug message during IPCP. The attribute is
applied during LCP only. OtherOther helpful debugs will be "debug aaa
per-user" and "debug vtemplate cloning/error".
Dennis
Dib Elie [elie_dib at yahoo.com] wrote:
> Hi,
>
> this is my first listing here. I am trying to setup a
> PPPoE scenario using 4500 Router and Cisco Secure ACS.
> I am able to authenticate the user and give him
> access. I al also trying to limit the bandwidth of
> each user using cisco avpair but i am not able to do
> so.
>
> this is the configuration done on the router:
>
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R8
> !
> aaa new-model
> aaa group server radius elie
> server 10.10.10.2 auth-port 1645 acct-port 1646
> !
> aaa authentication login default local
> aaa authentication ppp default group elie
> aaa authorization network default group elie
> aaa nas port extended
> !
> username cisco password 0 cisco
> ip subnet-zero
> no ip domain-lookup
> !
> vpdn enable
> !
> vpdn-group 1
> accept-dialin
> protocol pppoe
> virtual-template 1
> !
> !
> !
> !
> interface Ethernet0
> no ip address
> load-interval 30
> media-type 10BaseT
> pppoe enable
> !
> interface Ethernet1
> ip address 10.10.10.1 255.255.255.0
> load-interval 30
> media-type 10BaseT
> !
> interface Virtual-Template1
> ip unnumbered Ethernet1
> ip mtu 1492
> load-interval 30
> no peer default ip address
> ppp authentication chap
> !
> ip classless
> ip flow-export version 5
> no ip http server
> !
> radius-server host 10.10.10.2 auth-port 1645 acct-port
> 1646 key cisco
> radius-server attribute nas-port format d
> radius-server vsa send accounting
> radius-server vsa send authentication
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> end
>
>
> and this is the output of the "debug radius" done on
> the router:
>
> 00:34:02: %LINK-3-UPDOWN: Interface Virtual-Access1,
> changed state to up
> 00:34:02: RADIUS: ustruct sharecount=2
> 00:34:02: Radius: radius_port_info() success=1
> radius_nas_port=17
> 00:34:02: RADIUS: added cisco VSA 2 len 16
> "Virtual-Access1*"
> 00:34:02: RADIUS: Initial Transmit Virtual-Access1* id
> 18 10.10.10.2:1645, Access-Request, len 100
> 00:34:02: Attribute 4 6 0A0A0A01
> 00:34:02: Attribute 5 6 1F000000
> 00:34:02: Attribute 26 24 0000000902125669
> 00:34:02: Attribute 61 6 00000005
> 00:34:02: Attribute 1 7 63697363
> 00:34:02: Attribute 3 19 1314D9B2
> 00:34:02: Attribute 6 6 00000002
> 00:34:02: Attribute 7 6 00000001
> 00:34:02: RADIUS: Received from id 18 10.10.10.2:1645,
> Access-Accept, len 209
> 00:34:02: Attribute 26 121 0000000901736C63
> 00:34:02: Attribute 6 6 00000002
> 00:34:02: Attribute 7 6 00000001
> 00:34:02: Attribute 10 6 00000003
> 00:34:02: Attribute 12 6 00000578
> 00:34:02: Attribute 8 6 FFFFFFFF
> 00:34:02: Attribute 25 38 43495343
> 00:34:02: RADIUS: cisco AVPair
> "lcp:interface-config=rate-limit input access-group
> 101 16000 2000 2000 conform-action transmit
> exceed-action drop"
> 00:34:02: RADIUS: cisco AVPair
> "lcp:interface-config=rate-limit input access-group
> 101 16000 2000 2000 conform-action transmit
> exceed-action drop" not applied for ip
> 00:34:02: RADIUS: allowing negotiated framed address
> 00:34:02: RADIUS: cisco AVPair
> "lcp:interface-config=rate-limit input access-group
> 101 16000 2000 2000 conform-action transmit
> exceed-action drop" not applied for ip
> 00:34:02: RADIUS: allowing negotiated framed address
> 20.20.20.1
> 00:34:03: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface Virtual-Access1, changed state to up
>
> any suggestions,
>
> Regards
> Elie
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
More information about the cisco-bba
mailing list