[cisco-nas] FW: Problems with creating Virtual-Access interfaces

Félix Izquierdo fizquierdo at l3consulting.com
Tue Aug 31 11:49:30 EDT 2004


Félix Izquierdo wrote:

> Andris Zarins wrote:
> 
>> Hi,
>>
>> I’ve got a task to implement a dial-in access to VRF on Cisco router 
>> (3640). Scheme is almost trivial – client (Cisco router, for example 
>> 2500 series) dials-in using ISDN to Cisco NAS 3640 (12.3(8) T3 – 
>> TELCO). Then RADIUS authentication and authorization is performed, and 
>> there should be created virtual-access interface dynamically with 
>> configuration received from RADIUS server. Everything seems OK – user 
>> dials-in, authenticates himself, RADIUS sends Vaccess i-faces 
>> configuration (tried debugging – OK) , but no Virtual-Access 
>> interfaces are created. Instead of this ISDN channels get bind to 
>> DialerProfile and there is no per-user configuration. I tried to 
>> downgrade IOS code to 12.0 – using this version and exactly the same 
>> NAS configuration, VAccess interfaces are created, but there are 
>> problems with RADIUS – AAA messages are denied by error “decrypt 
>> failed” (I believe this is another story, not connected this this 
>> VAccess issue).
>>
>> Question is – why there are no Virtual-Access interfaces using IOS 
>> 12.3? Am I missing some required configuration? In 12.0 there is a 
>> command “virtual-profile aaa”, but it is deprecated since 12.2, and it 
>> should work without it.
>>
> 
> Because the new vaccess default using subinterface. You must configure 
> "no virtual-template subinterface".
> 

Other advices:

If you are using vprofiles+dialer_profiles, you must configure at least 
two dialer profiles ( IOS oddity ). Also, don't configure 
virtual-profile if-needed if you are implementing dial-in access to 
vrf's, because you want to be sure that an vaccess is ever used.







More information about the cisco-nas mailing list