[cisco-nas] FW: Problems with creating Virtual-Access interfaces
Félix Izquierdo
fizquierdo at l3consulting.com
Tue Aug 31 11:49:30 EDT 2004
Félix Izquierdo wrote:
> Andris Zarins wrote:
>
>> Hi,
>>
>> I’ve got a task to implement a dial-in access to VRF on Cisco router
>> (3640). Scheme is almost trivial – client (Cisco router, for example
>> 2500 series) dials-in using ISDN to Cisco NAS 3640 (12.3(8) T3 –
>> TELCO). Then RADIUS authentication and authorization is performed, and
>> there should be created virtual-access interface dynamically with
>> configuration received from RADIUS server. Everything seems OK – user
>> dials-in, authenticates himself, RADIUS sends Vaccess i-faces
>> configuration (tried debugging – OK) , but no Virtual-Access
>> interfaces are created. Instead of this ISDN channels get bind to
>> DialerProfile and there is no per-user configuration. I tried to
>> downgrade IOS code to 12.0 – using this version and exactly the same
>> NAS configuration, VAccess interfaces are created, but there are
>> problems with RADIUS – AAA messages are denied by error “decrypt
>> failed” (I believe this is another story, not connected this this
>> VAccess issue).
>>
>> Question is – why there are no Virtual-Access interfaces using IOS
>> 12.3? Am I missing some required configuration? In 12.0 there is a
>> command “virtual-profile aaa”, but it is deprecated since 12.2, and it
>> should work without it.
>>
>
> Because the new vaccess default using subinterface. You must configure
> "no virtual-template subinterface".
>
Other advices:
If you are using vprofiles+dialer_profiles, you must configure at least
two dialer profiles ( IOS oddity ). Also, don't configure
virtual-profile if-needed if you are implementing dial-in access to
vrf's, because you want to be sure that an vaccess is ever used.
More information about the cisco-nas
mailing list