[cisco-nas] VPDN setup not working

Jasper Jans jasper.jans at gmail.com
Thu Aug 19 04:31:36 EDT 2010


Hi,

First of all - I've posted this to both the NAS en NSP list since it touches
on both I guess.

We have an old setup that authenticates ISDN dial-in users and puts them in
a Cisco VRF depending on which user authenticates.
However this was all build about eight years ago using both home grown
radius servers and L2F as the tunnel protocol. I've been
asked to migrate this setup to a new location which needs to be running
before we can dismantle the old setup. I've trying to do
away with all of the homegrown bits and make it a standard solution using
L2TP as the tunnel protocol.

A quick overview of the setup which I'm using to test with:
Cisco 180x as dial-in router
Cisco AS5350 (NAS/LAC terminating the ISDN call) running
IOS c5350-jk9s-mz.124-15.T9.bin
Cisco 7200 (VHG/PE/LNS terminating the VPDN tunnel and ultimately the PPP
session into an MPLS VPN) running IOS c7200-jk9s-mz.123-20.bin
Freeradius using MySQL as an backend.

I manage to get the call to dial-in, the NAS/LAC to setup the VPDN tunnel
and the VHG/LNS to send the radius request to terminate the PPP
session. I actually see that the virtual-template gets cloned to a
virtual-access interface - however after a few sessions the connection
drops and if I issue a "show run" on the virtual-access interface it does
not seem to have any config on it while the session is up.

I've included the output of a debug of both the VHG/LNS as well as of the
radius server at the end of this mail. I've also included the running
configuration of the AS5350 and 7200 incase I did something wrong there. I
realize this makes for a rather large email - my apologies.

I guess the interesting bit so far from the debug is this section:
Aug 12 16:15:43.924 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access2, changed state to up
Aug 12 16:15:52.868 CEST: Vi2 CHAP: I CHALLENGE id 86 len 41 from "
test-klant at backup.nl"
Aug 12 16:15:52.868 CEST: RADIUS/ENCODE(0000003C): sendauth, failing over
Aug 12 16:15:52.868 CEST: RADIUS/ENCODE(0000003C): send packet; BEGIN
Aug 12 16:15:52.868 CEST: Vi2 CHAP: Unable to authenticate for peer
Aug 12 16:15:52.868 CEST: Vi2 PPP: Sending Acct Event[Down] id[3C]
Aug 12 16:15:52.868 CEST: Vi2 PPP: Phase is TERMINATING

I hope someone can tell me what it is that I'm doing wrong. If extra debug
of information is needed please let me know - I'll be happy to supply this.
Thanks a lot for taking the time to have a look.

 - Jasper

------------

Debug VHG:
Aug 12 16:15:42.916 CEST: ppp55 PPP: Phase is ESTABLISHING
Aug 12 16:15:42.916 CEST: ppp55 PPP: Send Message[Dynamic Bind Response]
Aug 12 16:15:42.916 CEST: ppp55 LCP: I FORCED rcvd CONFACK len 30
Aug 12 16:15:42.916 CEST: ppp55 LCP:    AuthProto CHAP (0x0305C22305)
Aug 12 16:15:42.916 CEST: ppp55 LCP:    MagicNumber 0x0D06A846
(0x05060D06A846)
Aug 12 16:15:42.916 CEST: ppp55 LCP:    MRRU 1524 (0x110405F4)
Aug 12 16:15:42.916 CEST: ppp55 LCP:    EndpointDisc 1 asd-tc3-ap01
(0x130F016173642D7463332D61703031)
Aug 12 16:15:42.916 CEST: ppp55 LCP: I FORCED sent CONFACK len 38
Aug 12 16:15:42.916 CEST: ppp55 LCP:    AuthProto CHAP (0x0305C22305)
Aug 12 16:15:42.916 CEST: ppp55 LCP:    MagicNumber 0x9A996122
(0x05069A996122)
Aug 12 16:15:42.916 CEST: ppp55 LCP:    MRRU 1500 (0x110405DC)
Aug 12 16:15:42.916 CEST: ppp55 LCP:    EndpointDisc 1 test-klant at backup.nl
Aug 12 16:15:42.916 CEST: ppp55 LCP:
(0x131701746573742D6B6C616E74406261)
Aug 12 16:15:42.916 CEST: ppp55 LCP:     (0x636B75702E6E6C)
Aug 12 16:15:42.916 CEST: ppp55 PPP: Phase is FORWARDING, Attempting Forward
Aug 12 16:15:42.916 CEST: ppp55 PPP SSS: Receive SSS-Mgr Connect-Local
Aug 12 16:15:42.916 CEST: ppp55 PPP: Phase is AUTHENTICATING,
Unauthenticated User
Aug 12 16:15:42.916 CEST: RADIUS/ENCODE(0000003C):Orig. component type =
VPDN
Aug 12 16:15:42.916 CEST: RADIUS:  AAA Unsupported Attr: interface
[153] 14
Aug 12 16:15:42.916 CEST: RADIUS:   55 6E 69 71 2D 53 65 73 73 2D 49 44
         [Uniq-Sess-ID]
Aug 12 16:15:42.916 CEST: RADIUS(0000003C): Storing nasport 55 in rad_db
Aug 12 16:15:42.916 CEST: RADIUS(0000003C): Config NAS IP: 195.18.85.3
Aug 12 16:15:42.916 CEST: RADIUS/ENCODE(0000003C): acct_session_id: 60
Aug 12 16:15:42.916 CEST: RADIUS(0000003C): sending
Aug 12 16:15:42.916 CEST: RADIUS(0000003C): Send Access-Request to
195.18.104.132:1812 id 1645/71, len 114
Aug 12 16:15:42.916 CEST: RADIUS:  authenticator DD 7C 9E 37 25 71 75 C1 -
3A F2 17 44 A0 BA BF E4
Aug 12 16:15:42.916 CEST: RADIUS:  Framed-Protocol     [7]   6   PPP
              [1]
Aug 12 16:15:42.916 CEST: RADIUS:  User-Name           [1]   22  "
test-klant at backup.nl"
Aug 12 16:15:42.916 CEST: RADIUS:  CHAP-Password       [3]   19  *
Aug 12 16:15:42.916 CEST: RADIUS:  NAS-Port-Type       [61]  6   Virtual
              [5]
Aug 12 16:15:42.916 CEST: RADIUS:  NAS-Port            [5]   6   55

Aug 12 16:15:42.916 CEST: RADIUS:  Calling-Station-Id  [31]  12
 "0365465531"
Aug 12 16:15:42.916 CEST: RADIUS:  Called-Station-Id   [30]  11  "207300300"
Aug 12 16:15:42.916 CEST: RADIUS:  Service-Type        [6]   6   Framed
               [2]
Aug 12 16:15:42.916 CEST: RADIUS:  NAS-IP-Address      [4]   6   195.18.85.3

Aug 12 16:15:42.920 CEST: RADIUS: Received from id 1645/71
195.18.104.132:1812, Access-Accept, len 150
Aug 12 16:15:42.920 CEST: RADIUS:  authenticator 4B 16 16 8C 36 79 DB 45 -
61 5E D1 5D 34 51 1A 0E
Aug 12 16:15:42.920 CEST: RADIUS:  Service-Type        [6]   6   Framed
               [2]
Aug 12 16:15:42.920 CEST: RADIUS:  Framed-Protocol     [7]   6   PPP
              [1]
Aug 12 16:15:42.920 CEST: RADIUS:  Vendor, Cisco       [26]  57
Aug 12 16:15:42.920 CEST: RADIUS:   Cisco AVpair       [1]   51
 "lcp:interface-config=ip vrf forwarding test-klant"
Aug 12 16:15:42.920 CEST: RADIUS:  Vendor, Cisco       [26]  55
Aug 12 16:15:42.920 CEST: RADIUS:   Cisco AVpair       [1]   49
 "lcp:interface-config=ip unnumbered Loopback1132"
Aug 12 16:15:42.920 CEST: RADIUS:  Framed-IP-Address   [8]   6   192.168.2.1

Aug 12 16:15:42.920 CEST: RADIUS(0000003C): Received from id 1645/71
Aug 12 16:15:42.920 CEST: ppp55 PPP: Phase is FORWARDING, Attempting Forward
Aug 12 16:15:42.920 CEST: ppp55 PPP: Send Message[Connect Local]
Aug 12 16:15:42.920 CEST: Vi2 PPP: Phase is DOWN, Setup
Aug 12 16:15:42.920 CEST: ppp55 PPP: Bind to [Virtual-Access2]
Aug 12 16:15:42.920 CEST: Vi2 PPP: Send Message[Static Bind Response]
Aug 12 16:15:42.924 CEST: %LINK-3-UPDOWN: Interface Virtual-Access2, changed
state to up
Aug 12 16:15:42.924 CEST: Vi2 PPP: Phase is AUTHENTICATING, Authenticated
User
Aug 12 16:15:42.924 CEST: Vi2 CHAP: O SUCCESS id 2 len 4
Aug 12 16:15:43.924 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access2, changed state to up
Aug 12 16:15:52.868 CEST: Vi2 CHAP: I CHALLENGE id 86 len 41 from "
test-klant at backup.nl"
Aug 12 16:15:52.868 CEST: RADIUS/ENCODE(0000003C): sendauth, failing over
Aug 12 16:15:52.868 CEST: RADIUS/ENCODE(0000003C): send packet; BEGIN
Aug 12 16:15:52.868 CEST: Vi2 CHAP: Unable to authenticate for peer
Aug 12 16:15:52.868 CEST: Vi2 PPP: Sending Acct Event[Down] id[3C]
Aug 12 16:15:52.868 CEST: Vi2 PPP: Phase is TERMINATING
Aug 12 16:15:52.868 CEST: Vi2 LCP: O TERMREQ [Open] id 1 len 4
Aug 12 16:15:52.888 CEST: Vi2 LCP: I TERMACK [TERMsent] id 1 len 4
Aug 12 16:15:52.888 CEST: Vi2 LCP: State is Closed
Aug 12 16:15:52.888 CEST: Vi2 PPP: Phase is DOWN
Aug 12 16:15:52.888 CEST: Vi2 PPP: Send Message[Disconnect]
Aug 12 16:15:52.892 CEST: %LINK-3-UPDOWN: Interface Virtual-Access2, changed
state to down
Aug 12 16:15:53.868 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access2, changed state to down

------------------------

Debug radius:
rad_recv: Access-Request packet from host 195.18.85.193:1645, id=42,
length=122
        User-Name = "backup.nl"
        User-Password = "cisco"
        NAS-Port = 20326
        NAS-Port-Id = "Serial3/3:26"
        NAS-Port-Type = ISDN
        Calling-Station-Id = "0365465531"
        Called-Station-Id = "207300300"
        Connect-Info = "64000 HDLC"
        Service-Type = Dialout-Framed-User
        NAS-IP-Address = 195.18.85.193
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radius/radacct/auth-detail-20100812'
rlm_detail: /var/log/radius/radacct/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/auth-detail-20100812
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
radius_xlat:  'backup.nl'
rlm_sql (sql): sql_set_user escaped user --> 'backup.nl'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'backup.nl'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'backup.nl' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radreply           WHERE Username = 'backup.nl'           ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'backup.nl' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: type Local
auth: user supplied User-Password matches local User-Password
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat:  '/var/log/radius/radacct/reply-detail-20100812'
rlm_detail: /var/log/radius/radacct/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/reply-detail-20100812
  modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 42 to 195.18.85.193 port 1645
        Cisco-AVPair += "vpdn:tunnel-id=AS5350-All"
        Cisco-AVPair += "vpdn:ip-addresses=195.18.85.3"
        Cisco-AVPair += "vpdn:tunnel-type=l2tp"
        Cisco-AVPair += "vpdn:l2tp-tunnel-password=cisco"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 195.18.85.3:1645, id=73,
length=114
        Framed-Protocol = PPP
        User-Name = "test-klant at backup.nl"
        CHAP-Password = 0x02011f8ce0ed5275d50c7a786cc7e47c6b
        NAS-Port-Type = Virtual
        NAS-Port = 57
        Calling-Station-Id = "0365465531"
        Called-Station-Id = "207300300"
        Service-Type = Framed-User
        NAS-IP-Address = 195.18.85.3
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:  '/var/log/radius/radacct/auth-detail-20100812'
rlm_detail: /var/log/radius/radacct/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/auth-detail-20100812
  modcall[authorize]: module "auth_log" returns ok for request 1
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 1
radius_xlat:  'test-klant at backup.nl'
rlm_sql (sql): sql_set_user escaped user --> 'test-klant at backup.nl'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radcheck           WHERE Username = 'test-klant at backup.nl'           ORDER
BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = '
test-klant at backup.nl' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radreply           WHERE Username = 'test-klant at backup.nl'           ORDER
BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = '
test-klant at backup.nl' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 1
  rlm_chap: login attempt by "test-klant at backup.nl" with CHAP password
  rlm_chap: Using clear text password test for user
test-klant at backup.nlauthentication.
  rlm_chap: chap user test-klant at backup.nl authenticated succesfully
  modcall[authenticate]: module "chap" returns ok for request 1
modcall: leaving group CHAP (returns ok) for request 1
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
radius_xlat:  '/var/log/radius/radacct/reply-detail-20100812'
rlm_detail: /var/log/radius/radacct/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/reply-detail-20100812
  modcall[post-auth]: module "reply_log" returns ok for request 1
modcall: leaving group post-auth (returns ok) for request 1
Sending Access-Accept of id 73 to 195.18.85.3 port 1645
        Service-Type := Framed-User
        Framed-Protocol := PPP
        Cisco-AVPair += "lcp:interface-config#1=ip vrf forwarding
test-klant"
        Cisco-AVPair += "lcp:interface-config#2=ip vrf forwarding
test-klant"
Finished request 1
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 42 with timestamp 4c64044c
Cleaning up request 1 ID 73 with timestamp 4c64044c
Nothing to do.  Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 195.18.85.193:1646, id=43,
length=263
        Acct-Session-Id = "00000114"
        Framed-Protocol = PPP
        Tunnel-Medium-Type:0 = IP
        Tunnel-Client-Endpoint:0 = "195.18.85.193"
        Tunnel-Server-Endpoint:0 = "195.18.85.3"
        Tunnel-Type:0 = L2TP
        Acct-Tunnel-Connection = "1057600042"
        Tunnel-Client-Auth-Id:0 = "AS5350-All"
        Tunnel-Server-Auth-Id:0 = "asd-cap-dr03"
        User-Name = "test-klant at backup.nl"
        Acct-Authentic = RADIUS
        Acct-Session-Time = 10
        Acct-Input-Octets = 53
        Acct-Output-Octets = 16
        Acct-Input-Packets = 2
        Acct-Output-Packets = 2
        Acct-Terminate-Cause = Host-Request
        Acct-Status-Type = Stop
        NAS-Port = 20326
        NAS-Port-Id = "Serial3/3:26"
        NAS-Port-Type = ISDN
        Calling-Station-Id = "0365465531"
        Called-Station-Id = "207300300"
        Connect-Info = "64000 HDLC"
        Service-Type = Framed-User
        NAS-IP-Address = 195.18.85.193
        Acct-Delay-Time = 0
  Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 2
  modcall[preacct]: module "preprocess" returns noop for request 2
rlm_acct_unique: Hashing 'NAS-Port = 20326,Client-IP-Address =
195.18.85.193,NAS-IP-Address = 195.18.85.193,Acct-Session-Id =
"00000114",User-Name = "test-klant at backup.nl"'
rlm_acct_unique: Acct-Unique-Session-ID = "76ea71aaa12d8845".
  modcall[preacct]: module "acct_unique" returns ok for request 2
modcall: leaving group preacct (returns ok) for request 2
  Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 2
radius_xlat:  '/var/log/radius/radacct/detail-20100812'
rlm_detail: /var/log/radius/radacct/detail-%Y%m%d expands to
/var/log/radius/radacct/detail-20100812
  modcall[accounting]: module "detail" returns ok for request 2
  modcall[accounting]: module "unix" returns ok for request 2
radius_xlat:  '/var/log/radius/radutmp'
radius_xlat:  'test-klant at backup.nl'
rlm_radutmp: Logout for NAS asd-tc3-ap01 port 20326, but no Login record
  modcall[accounting]: module "radutmp" returns ok for request 2
radius_xlat:  'test-klant at backup.nl'
rlm_sql (sql): sql_set_user escaped user --> 'test-klant at backup.nl'
radius_xlat:  'UPDATE radacct SET AcctStopTime = '2010-08-12 16:25:26',
AcctSessionTime = '10', AcctInputOctets = '53', AcctOutputOctets = '16',
AcctTerminateCause = 'Host-Request', AcctStopDelay = '0', ConnectInfo_stop =
'64000 HDLC' WHERE AcctSessionId = '00000114' AND UserName = '
test-klant at backup.nl' AND NASIPAddress = '195.18.85.193''
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat:  'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay) values('00000114', '76ea71aaa12d8845', '
test-klant at backup.nl', '', '195.18.85.193', '20326', 'ISDN',
DATE_SUB('2010-08-12 16:25:26', INTERVAL (10 + 0) SECOND), '2010-08-12
16:25:26', '10', 'RADIUS', '', '64000 HDLC', '53', '16', '207300300',
'0365465531', 'Host-Request', 'Framed-User', 'PPP', '', '0', '0')'
rlm_sql (sql): Released sql socket id: 2
  modcall[accounting]: module "sql" returns ok for request 2
modcall: leaving group accounting (returns ok) for request 2
Sending Accounting-Response of id 43 to 195.18.85.193 port 1646
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 43 with timestamp 4c640456
Nothing to do.  Sleeping until we see a request.

-------------------

Database entries MySQL:
mysql> select * from radcheck where UserName = 'backup.nl';
+------+-----------+-----------+----+-------+
| id   | UserName  | Attribute | op | Value |
+------+-----------+-----------+----+-------+
| 1445 | backup.nl | Password  | == | cisco |
+------+-----------+-----------+----+-------+
1 row in set (0.00 sec)

mysql> select * from radreply where UserName = 'backup.nl';
+------+-----------+--------------+----+---------------------------------+
| id   | UserName  | Attribute    | op | Value                           |
+------+-----------+--------------+----+---------------------------------+
| 2246 | backup.nl | Cisco-AVPair | += | vpdn:tunnel-id=AS5350-All       |
| 2247 | backup.nl | Cisco-AVPair | += | vpdn:ip-addresses=195.18.85.3   |
| 2248 | backup.nl | Cisco-AVPair | += | vpdn:tunnel-type=l2tp           |
| 2249 | backup.nl | Cisco-AVPair | += | vpdn:l2tp-tunnel-password=cisco |
+------+-----------+--------------+----+---------------------------------+
4 rows in set (0.00 sec)

mysql> select * from radcheck where UserName = 'test-klant at backup.nl';
+------+----------------------+-----------+----+-------+
| id   | UserName             | Attribute | op | Value |
+------+----------------------+-----------+----+-------+
| 1444 | test-klant at backup.nl | Password  | == | test  |
+------+----------------------+-----------+----+-------+
1 row in set (0.00 sec)

mysql> select * from radreply where UserName = 'test-klant at backup.nl';
+------+----------------------+-------------------+----+-----------------------------------------------------+
| id   | UserName             | Attribute         | op | Value
                                |
+------+----------------------+-------------------+----+-----------------------------------------------------+
| 2231 | test-klant at backup.nl | Service-Type      | := | Framed-User
                                |
| 2250 | test-klant at backup.nl | Framed-Protocol   | := | PPP
                                |
| 2263 | test-klant at backup.nl | Cisco-AVPair      | += |
lcp:interface-config#1=ip vrf forwarding test-klant |
| 2264 | test-klant at backup.nl | Cisco-AVPair      | += |
lcp:interface-config#2=ip vrf forwarding test-klant |
+------+----------------------+-------------------+----+-----------------------------------------------------+
4 rows in set (0.00 sec)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-nas/attachments/20100819/19843500/attachment-0001.html>
-------------- next part --------------
version 12.4
no parser cache
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname asd-tc3-ap01
!
boot-start-marker
no boot startup-test
boot-end-marker
!
enable secret <removed>
!
!
!
resource-pool disable
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication ppp default group radius
aaa authorization exec default local group tacacs+ 
aaa authorization commands 1 default group tacacs+ if-authenticated 
aaa authorization commands 15 default group tacacs+ if-authenticated 
aaa authorization network default group radius 
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default stop-only group radius
aaa accounting connection default start-stop group radius
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
tdm clock priority 1 3/0
calltracker enable
calltracker history max-size 30
calltracker call-record verbose
spe call-record modem
!         
spe default-firmware spe-firmware-1
ds0 busyout-threshold 12
no ip source-route
ip cef
no ip domain lookup
!
!
multilink bundle-name authenticated
vpdn enable
vpdn multihop
vpdn source-ip 195.18.85.193
vpdn search-order domain  
!
isdn switch-type primary-net5
isdn voice-call-failure 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username beheer secret <removed>
username asd-cap-dr03 password 7 110A1016141D
archive
 log config
  hidekeys
! 
!
!
!
controller E1 3/0
 framing NO-CRC4 
 pri-group timeslots 1-31
!
controller E1 3/1
 framing NO-CRC4 
 pri-group timeslots 1-31
!         
controller E1 3/2
 shutdown
 framing NO-CRC4 
 pri-group timeslots 1-31
!
controller E1 3/3
 framing NO-CRC4 
 pri-group timeslots 1-31
!
controller E1 3/4
 shutdown
 framing NO-CRC4 
 pri-group timeslots 1-31
!
controller E1 3/5
 shutdown
 framing NO-CRC4 
 pri-group timeslots 1-31
!
controller E1 3/6
 shutdown
 framing NO-CRC4 
 pri-group timeslots 1-31
!
controller E1 3/7
 shutdown
 framing NO-CRC4 
 pri-group timeslots 1-31
!
!
!
!
interface Loopback0
 description *** Management loopback ***
 ip address 10.8.7.1 255.255.255.255
 no ip mroute-cache
!
interface Loopback1
 description *** VPDN-Tunnel termination & Radius Source IP ***
 ip address 195.18.85.193 255.255.255.255
!
interface FastEthernet0/0
 description *** Trunk to: asd-cap-as04 - Gi1/0/28 ***
 no ip address
 duplex full
 speed 100
!
interface FastEthernet0/0.54
 description *** Radius LAN ***
 encapsulation dot1Q 54
 ip address 195.18.104.134 255.255.255.248
!
interface FastEthernet0/0.1503
 description *** VPDN VLAN ***
 encapsulation dot1Q 1503
 ip address 172.31.255.2 255.255.255.248
!
interface FastEthernet0/0.1504
 description *** Management VLAN ***
 encapsulation dot1Q 1504
 ip address 10.17.0.4 255.255.255.248
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial3/0
 no ip address
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial3/0:15
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/1:15
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/2:15
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/3:15
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/4:15
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/5:15
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/6:15
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 no keepalive
 no fair-queue
 no cdp enable
!
interface Serial3/7:15
 no ip address
 encapsulation ppp
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 no keepalive
 no fair-queue
 no cdp enable
!
interface Dialer1
 no ip address
 encapsulation ppp
 no ip mroute-cache
 dialer in-band
 dialer idle-timeout 43200
 dialer-group 1
 no peer default ip address
 no fair-queue
 no cdp enable
 ppp authentication chap callin
 ppp multilink bap
 ppp multilink fragment delay 500
 ppp timeout retry 1
!
interface Group-Async0
 no ip address
 encapsulation ppp
 ip tcp header-compression
 no ip mroute-cache
 async mode dedicated
 peer default ip address pool DIALUP
 ppp authentication pap chap callin
 ppp timeout retry 1
 group-range 1/00 2/107
!
ip forward-protocol nd
!
ip tacacs source-interface Loopback0
no ip http server
no ip http secure-server
!
!
ip radius source-interface Loopback1 
dialer-list 1 protocol ip permit
!
!
tacacs-server host <removed>
tacacs-server timeout 2
tacacs-server directed-request
tacacs-server key <removed>
!
radius-server host 195.18.104.132 auth-port 1812 acct-port 1813
radius-server host 195.18.104.138 auth-port 1812 acct-port 1813
radius-server deadtime 20
radius-server key <removed>
!
!
voice-port 3/0:D
!
voice-port 3/1:D
!
voice-port 3/2:D
!
voice-port 3/3:D
!
voice-port 3/4:D
!
voice-port 3/5:D
!
voice-port 3/6:D
!
voice-port 3/7:D
!
!
!
!
!
ss7 mtp2-variant Bellcore 0
ss7 mtp2-variant Bellcore 1
ss7 mtp2-variant Bellcore 2
ss7 mtp2-variant Bellcore 3
!
line con 0
 exec-timeout 60 0
 login authentication CONSOLE
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 session-timeout 60 
 access-class 1 in
 exec-timeout 60 0
 transport preferred ssh
 transport input ssh
 transport output telnet ssh
line 1/00 2/107
 no motd-banner
 no exec-banner
 no flush-at-activation
 modem InOut
 autocommand  ppp negotiate
 transport input all
 autoselect during-login
 autoselect ppp
 autohangup
!
scheduler allocate 10000 400
end
-------------- next part --------------
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname asd-cap-dr03
!
boot-start-marker
boot system disk0:/c7200-jk9s-mz.123-20.bin
boot-end-marker
!
logging buffered 65535 debugging
enable secret <removed>
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication ppp default group radius local
aaa authentication ppp PPP-ISDN local group radius
aaa authorization exec default local group tacacs+ 
aaa authorization commands 1 default group tacacs+ if-authenticated 
aaa authorization commands 15 default group tacacs+ if-authenticated 
aaa authorization network default group radius 
aaa authorization network PPP-ISDN group radius 
aaa accounting delay-start 
aaa session-id common
ip subnet-zero
ip flow-cache timeout active 1
!
!
ip tcp path-mtu-discovery
ip telnet source-interface Loopback0
ip tftp source-interface Loopback0
no ip ftp passive
no ip domain lookup
!
no ip bootp server
!
ip vrf test-klant
 rd 8608:140
 import map radius-import
 route-target export 8608:140
 route-target import 8608:140
 route-target import 8608:90
!
ip cef
virtual-profile virtual-template 2
vpdn enable
vpdn multihop
vpdn source-ip 195.18.85.3
vpdn search-order domain  
vpdn domain-delimiter / suffix
!
vpdn-group 1
 description *** VPDN-Tunnel from asd-tc3-ap01 & ap02 ***
 accept-dialin
  protocol l2tp
  virtual-template 2
 terminate-from hostname AS5350-All
 l2tp tunnel password 7 030752180500
!
clns routing
no tag-switching ip propagate-ttl forwarded
tag-switching tdp router-id Loopback0
!
!
!
!
!
!
!
!
!
!
!
!
username beheer secret <removed>
username asd-tc3-ap01 password 7 121A0C041104
username AS5350-All password 7 00071A150754
!
! 
!         
!
!
!
interface Loopback0
 description *** management & routing loopback ***
 ip address 10.8.1.6 255.255.255.255
!
interface Loopback1
 description *** VPDN-Tunnel termination & Radius Source IP ***
 ip address 195.18.85.3 255.255.255.255
!
interface Loopback1132
 description *** Customer Loopback ***
 ip vrf forwarding test-klant
 ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
 description *** To asd-cap-as01-gi1-0-5 [10.10.3.1] (jja:10/08/2010) ***
 ip address 10.10.3.3 255.255.255.0
 ip router isis 
 load-interval 30
 duplex full
 mpls label protocol ldp
 tag-switching mtu 1536
 tag-switching ip
 isis circuit-type level-1
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet3/0
 description *** To asd-cap-as02-gi1-0-5 [10.10.4.4] (mbu:05/07/2010) ***
 ip address 10.10.4.1 255.255.255.0
 ip router isis 
 load-interval 30
 duplex full
 mpls label protocol ldp
 tag-switching mtu 1536
 tag-switching ip
 isis circuit-type level-1
!
interface FastEthernet4/0
 description *** To asd-cap-as04-gi1-0-6 (mbu:09/07/2010) ***
 no ip address
 duplex full
!
interface FastEthernet4/0.54
 description *** To Radius-LAN ***
 encapsulation dot1Q 54
 ip address 195.18.104.133 255.255.255.248
!
interface FastEthernet4/0.1503
 description *** VPDN Tunnel Terminatie ***
 encapsulation dot1Q 1503
 ip address 172.31.255.1 255.255.255.248
!
interface Virtual-Template2
 description *** Test with Radius-Auth. ***
 ip unnumbered Loopback1
 ip tcp header-compression iphc-format
 mpls label protocol ldp
 tag-switching ip
 no peer default ip address
 ppp authentication chap
 ppp multilink
 ppp multilink fragment delay 17
 ppp multilink interleave
 ppp multilink multiclass
 ip rtp header-compression iphc-format
!
router isis 
 net 49.21a0.0001.0100.0800.1006.00
 is-type level-1
 metric-style wide
 max-lsp-lifetime 65535
 no hello padding
 log-adjacency-changes all
 redistribute connected route-map REDIST_CONNECTED_TO_ISIS level-1
 redistribute static ip route-map REDIST_STATIC_TO_ISIS level-1
 passive-interface Loopback0
!
router bgp 8608
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor VPNv4-RR peer-group
 neighbor VPNv4-RR remote-as 8608
 neighbor VPNv4-RR update-source Loopback0
 neighbor 10.8.0.15 peer-group VPNv4-RR
 neighbor 10.8.1.11 peer-group VPNv4-RR
 neighbor 10.8.2.11 peer-group VPNv4-RR
 !
 address-family ipv4
 redistribute connected
 redistribute static
 no auto-summary
 no synchronization
 bgp dampening 1
 exit-address-family
 !
 address-family vpnv4
 neighbor VPNv4-RR send-community extended
 neighbor 10.8.0.15 activate
 neighbor 10.8.1.11 activate
 neighbor 10.8.2.11 activate
 bgp dampening 1
 exit-address-family
 !
 address-family ipv4 vrf test-klant
 redistribute connected
 redistribute static
 no auto-summary
 no synchronization
 bgp dampening 1
 exit-address-family
!
ip classless
ip route 195.18.85.193 255.255.255.255 172.31.255.2
no ip http server
no ip http secure-server
ip tacacs source-interface Loopback0
!         
ip extcommunity-list 1 permit rt 8608:1
ip extcommunity-list 2 permit rt 8608:90
ip bgp-community new-format
!
!
ip prefix-list DENY_DEFAULT_ONLY seq 10 deny 0.0.0.0/0
ip prefix-list DENY_DEFAULT_ONLY seq 20 permit 0.0.0.0/0 le 32
!
ip prefix-list PERMIT_DEFAULT_ONLY seq 10 permit 0.0.0.0/0
ip prefix-list PERMIT_DEFAULT_ONLY seq 65000 deny 0.0.0.0/0 le 32
!
ip prefix-list REDIST_CONNECTED_TO_ISIS seq 10 permit 10.8.1.6/32
ip prefix-list REDIST_CONNECTED_TO_ISIS seq 65000 deny 0.0.0.0/0 le 32
!
ip prefix-list REDIST_STATIC_TO_ISIS seq 65000 deny 0.0.0.0/0 le 32
!
ip access-list standard mplsvpn-beheer-routes
 <removed>
ip access-list standard radius-routes
 permit 195.18.104.128 0.0.0.7
ip radius source-interface Loopback1 
!
route-map REDIST_CONNECTED_TO_ISIS permit 10
 match ip address prefix-list REDIST_CONNECTED_TO_ISIS
!
route-map radius-import permit 10
 match ip address radius-routes
 match extcommunity 2
!
route-map REDIST_STATIC_TO_ISIS permit 10
 match ip address prefix-list REDIST_STATIC_TO_ISIS
!
route-map PERMIT_DEFAULT_ONLY permit 10
 match ip address prefix-list PERMIT_DEFAULT_ONLY
!
route-map DENY_DEFAULT_ONLY deny 10
 match ip address prefix-list DENY_DEFAULT_ONLY
!
route-map mplsvpn-beheer-import permit 10
 match ip address mplsvpn-beheer-routes
 match extcommunity 1
!
route-map mplsvpn-beheer-import deny 20
 match extcommunity 1
!
route-map mplsvpn-beheer-import permit 30
!
tacacs-server host <removed>
tacacs-server timeout 2
tacacs-server directed-request
tacacs-server key <removed>
!
radius-server host 195.18.104.132 auth-port 1812 acct-port 1813
radius-server deadtime 20
radius-server key 7 021201481F0D0A38
!
!
!
!
gatekeeper
 shutdown
!
line con 0
 exec-timeout 60 0
 login authentication CONSOLE
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 session-timeout 60 
 access-class 1 in
 exec-timeout 60 0
 transport input ssh
 transport output telnet ssh
!
-------------- next part --------------
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
!
hostname alr-xbn-oob01
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384
enable secret <removed>
!
aaa new-model
!
!         
aaa authentication login default local group tacacs+
aaa authentication login CONSOLE local
aaa authentication login ADMIN group tacacs+ local
aaa authentication ppp default local
aaa authorization exec default local group tacacs+ 
aaa accounting commands 1 default
 action-type start-stop
 group tacacs+
!
aaa accounting commands 15 default
 action-type start-stop
 group tacacs+
!
aaa accounting network default
 action-type start-stop
 group tacacs+
!
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00
!         
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
isdn switch-type basic-net3
isdn tei-negotiation first-call
!
!
username beheer <removed>
username asd-cap-dr03 password 7 09584B1A0D
! 
!
!
archive
 log config
  hidekeys
!
!
ip tftp source-interface Loopback0
!
!
!
interface Loopback0
 description *** Management Loopback ***
 ip address 1.1.1.1 255.255.255.255
!         
interface Loopback100
 ip address 192.168.2.1 255.255.255.255
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 0/35 
  oam-pvc manage 5
  encapsulation aal5snap
  protocol ppp Virtual-Template1
 !
!
interface BRI0
 no ip address
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3
 isdn point-to-point-setup
 isdn send-alerting
 isdn reject voice
 isdn reject vod
 isdn reject v120
 isdn reject v110
 isdn reject piafs
 no cdp enable
 ppp authentication chap
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!         
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ppp multilink
!
interface Vlan1
 no ip address
!
interface Dialer10
 ip unnumbered Loopback100
 encapsulation ppp
 dialer pool 1
 dialer string 0207300300
 dialer-group 10
 no cdp enable
 ppp chap hostname test-klant at backup.nl
 ppp chap password 7 03105E1812
 ppp multilink
 ppp multilink load-threshold 200 outbound
!
ip forward-protocol nd
ip route 192.168.1.1 255.255.255.255 Dialer10
no ip http server
no ip http secure-server
!
!
ip tacacs source-interface Loopback0
!
dialer-list 10 protocol ip permit
no cdp run
!


More information about the cisco-nas mailing list