[c-nsp] Radius & vrf attributes

Jon Lewis jlewis at lewis.org
Mon Dec 6 12:18:43 EST 2004 

We do plenty of this.  Here's an actual working entry from our radius
config with just a bit of obfuscation to anonymize the entry (username,
framed-IP, and vrfname replaced).

someusername Auth-Type = System
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address= a.b.c.d,
        Framed-IP-Netmask= 255.255.255.255,
        Framed-MTU = 1500,
        Idle-Timeout = 0,
        Session-Timeout = 0,
        Port-Limit = 1,
        cisco-avpair = "lcp:interface-config#1=ip vrf forwarding somevrf\nip unnumbered lo1023",
        cisco-avpair = "ip:route=vrf somevrf 10.100.10.0 255.255.255.0 a.b.c.d 1"

lo1023 is the loopback interface in vrf somevrf.  We typically put a
loopback interface on each PE router in each vrf for which that router is
a PE.

On Mon, 6 Dec 2004, M.Palis wrote:

> It is not working.. It is very strange actually. Radius accepts the command
> and it starts normally but IP route does not shown in the vrf routing table
> of the router.
>
> Are you using the command?
> ----- Original Message -----
> From: "Dennis Peng" <dpeng at cisco.com>
> To: "M.Palis" <security at cytanet.com.cy>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Friday, December 03, 2004 6:39 PM
> Subject: Re: [c-nsp] Radius & vrf attributes
>
>
> > M.Palis [security at cytanet.com.cy] wrote:
> > > Hello all..
> > >
> > >  I am trying to configure Radius to send ip route /vrf to the user as
> below.
> > >
> > > Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 10.10.1.254"
> >                           ^ ^
> >                           | |
> >                           +-+--- remove these spaces.
> >
> > And try again please.
> >
> > Dennis
> >
> > > Radius accept the above but when I do show ip route on the router, it
> seems
> > > that the route is not inserted in the routing table. Any help will be
> > > appreciated. Below is the radius config for the users
> > >
> > >
> > >
> > > test Auth-Type := MS-CHAP, Password == "!test"
> > >         Service-Type = Framed-User,
> > >         Framed-Protocol = PPP,
> > >         Cisco-AVPair = "lcp:interface-config=ip vrf forwarding test \n
> peer
> > > default ip address pool test \n ip unnumbered loopback3",
> > >
> > >     Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 10.10.1.254"
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the cisco-nsp mailing list