[c-nsp] Radius & vrf attributes

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Mon Dec 6 02:52:25 EST 2004 


> It is not working.. It is very strange actually. Radius accepts the
> command and it starts normally but IP route does not shown in the vrf
> routing table of the router.

Is the next-hop 10.10.1.254 reachable in the vrf? Do you see any errors
installing the route ("debug aaa per-user" and "debug aaa
authorization").
What are you trying to achieve? Point a static default route to the user
"dialing" in? This can also be achieved by adding 'Framed-Route =
"0.0.0.0 0.0.0.0" ', framed-route is vrf-aware, and if you omit the
next-hop, we'll automatically use the peer address..

	oli


> ----- Original Message -----
> From: "Dennis Peng" <dpeng at cisco.com>
> To: "M.Palis" <security at cytanet.com.cy>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Friday, December 03, 2004 6:39 PM
> Subject: Re: [c-nsp] Radius & vrf attributes
> 
> 
>> M.Palis [security at cytanet.com.cy] wrote:
>>> Hello all..
>>> 
>>>  I am trying to configure Radius to send ip route /vrf to the user
>>> as below. 
>>> 
>>> Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 10.10.1.254"
>>                           ^ ^
>>                           | |
>>                           +-+--- remove these spaces.
>> 
>> And try again please.
>> 
>> Dennis
>> 
>>> Radius accept the above but when I do show ip route on the router,
>>> it seems that the route is not inserted in the routing table. Any
>>> help will be appreciated. Below is the radius config for the users
>>> 
>>> 
>>> 
>>> test Auth-Type := MS-CHAP, Password == "!test"
>>>         Service-Type = Framed-User,
>>>         Framed-Protocol = PPP,
>>>         Cisco-AVPair = "lcp:interface-config=ip vrf forwarding test
>>> \n peer default ip address pool test \n ip unnumbered loopback3",
>>> 
>>>     Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 10.10.1.254"
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list