[cisco-bba] PPPoE & Cisco
Dennis Peng
dpeng at cisco.com
Thu Mar 31 15:52:31 EST 2005
For the rest of the list, the missing command was "virtual-profile
aaa" which is required in 12.2, but not in 12.3.
Dennis
Dib Elie [elie_dib at yahoo.com] wrote:
> Hi Dennis,
>
> two things show that the rate-limit isn't applied:
> 1- I did the show wun int virtual-access 1 and it was
> not there
> 2- i tried the bandwdith and i was able to get 512K
> while the rate-limit should only give me 16K
>
> Elie
>
> --- Dennis Peng <dpeng at cisco.com> wrote:
>
> > How do you know the rate-limit isn't being applied?
> > Can you do a "show
> > run int virtual-acces X" after the session comes up?
> > It is normal to
> > see the "not applied" debug message during IPCP. The
> > attribute is
> > applied during LCP only. OtherOther helpful debugs
> > will be "debug aaa
> > per-user" and "debug vtemplate cloning/error".
> >
> > Dennis
> >
> > Dib Elie [elie_dib at yahoo.com] wrote:
> > > Hi,
> > >
> > > this is my first listing here. I am trying to
> > setup a
> > > PPPoE scenario using 4500 Router and Cisco Secure
> > ACS.
> > > I am able to authenticate the user and give him
> > > access. I al also trying to limit the bandwidth of
> > > each user using cisco avpair but i am not able to
> > do
> > > so.
> > >
> > > this is the configuration done on the router:
> > >
> > > version 12.2
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > no service password-encryption
> > > !
> > > hostname R8
> > > !
> > > aaa new-model
> > > aaa group server radius elie
> > > server 10.10.10.2 auth-port 1645 acct-port 1646
> > > !
> > > aaa authentication login default local
> > > aaa authentication ppp default group elie
> > > aaa authorization network default group elie
> > > aaa nas port extended
> > > !
> > > username cisco password 0 cisco
> > > ip subnet-zero
> > > no ip domain-lookup
> > > !
> > > vpdn enable
> > > !
> > > vpdn-group 1
> > > accept-dialin
> > > protocol pppoe
> > > virtual-template 1
> > > !
> > > !
> > > !
> > > !
> > > interface Ethernet0
> > > no ip address
> > > load-interval 30
> > > media-type 10BaseT
> > > pppoe enable
> > > !
> > > interface Ethernet1
> > > ip address 10.10.10.1 255.255.255.0
> > > load-interval 30
> > > media-type 10BaseT
> > > !
> > > interface Virtual-Template1
> > > ip unnumbered Ethernet1
> > > ip mtu 1492
> > > load-interval 30
> > > no peer default ip address
> > > ppp authentication chap
> > > !
> > > ip classless
> > > ip flow-export version 5
> > > no ip http server
> > > !
> > > radius-server host 10.10.10.2 auth-port 1645
> > acct-port
> > > 1646 key cisco
> > > radius-server attribute nas-port format d
> > > radius-server vsa send accounting
> > > radius-server vsa send authentication
> > > !
> > > line con 0
> > > line aux 0
> > > line vty 0 4
> > > !
> > > end
> > >
> > >
> > > and this is the output of the "debug radius" done
> > on
> > > the router:
> > >
> > > 00:34:02: %LINK-3-UPDOWN: Interface
> > Virtual-Access1,
> > > changed state to up
> > > 00:34:02: RADIUS: ustruct sharecount=2
> > > 00:34:02: Radius: radius_port_info() success=1
> > > radius_nas_port=17
> > > 00:34:02: RADIUS: added cisco VSA 2 len 16
> > > "Virtual-Access1*"
> > > 00:34:02: RADIUS: Initial Transmit
> > Virtual-Access1* id
> > > 18 10.10.10.2:1645, Access-Request, len 100
> > > 00:34:02: Attribute 4 6 0A0A0A01
> > > 00:34:02: Attribute 5 6 1F000000
> > > 00:34:02: Attribute 26 24 0000000902125669
> > > 00:34:02: Attribute 61 6 00000005
> > > 00:34:02: Attribute 1 7 63697363
> > > 00:34:02: Attribute 3 19 1314D9B2
> > > 00:34:02: Attribute 6 6 00000002
> > > 00:34:02: Attribute 7 6 00000001
> > > 00:34:02: RADIUS: Received from id 18
> > 10.10.10.2:1645,
> > > Access-Accept, len 209
> > > 00:34:02: Attribute 26 121
> > 0000000901736C63
> > > 00:34:02: Attribute 6 6 00000002
> > > 00:34:02: Attribute 7 6 00000001
> > > 00:34:02: Attribute 10 6 00000003
> > > 00:34:02: Attribute 12 6 00000578
> > > 00:34:02: Attribute 8 6 FFFFFFFF
> > > 00:34:02: Attribute 25 38 43495343
> > > 00:34:02: RADIUS: cisco AVPair
> > > "lcp:interface-config=rate-limit input
> > access-group
> > > 101 16000 2000 2000 conform-action transmit
> > > exceed-action drop"
> > > 00:34:02: RADIUS: cisco AVPair
> > > "lcp:interface-config=rate-limit input
> > access-group
> > > 101 16000 2000 2000 conform-action transmit
> > > exceed-action drop" not applied for ip
> > > 00:34:02: RADIUS: allowing negotiated framed
> > address
> > > 00:34:02: RADIUS: cisco AVPair
> > > "lcp:interface-config=rate-limit input
> > access-group
> > > 101 16000 2000 2000 conform-action transmit
> > > exceed-action drop" not applied for ip
> > > 00:34:02: RADIUS: allowing negotiated framed
> > address
> > > 20.20.20.1
> > > 00:34:03: %LINEPROTO-5-UPDOWN: Line protocol on
> > > Interface Virtual-Access1, changed state to up
> > >
> > > any suggestions,
> > >
> > > Regards
> > > Elie
> > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Small Business - Try our new resources
> > site!
> > > http://smallbusiness.yahoo.com/resources/
> > > _______________________________________________
> > > cisco-bba mailing list
> > > cisco-bba at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-bba
> >
>
>
>
>
> __________________________________
> Yahoo! Messenger
> Show us what our next emoticon should look like. Join the fun.
> http://www.advision.webevents.yahoo.com/emoticontest
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
More information about the cisco-bba
mailing list