[c-nsp] PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c)

Dean Penton PENTONDM at gov.ns.ca
Wed Dec 21 07:12:03 EST 2005


You need to debug the radius server. When you are testing you said you
tested from the 7206 and it was ok but from whatever computer you are
trying it coul dbe a PAP/CHAP issue with the PPPoE Client. I have seen
this occur, it's not a BUG, it is usually a configuration issue.

Dean


>>> cisco-nsp-request at puck.nether.net 12/21/2005 1:49:27 AM >>>
Send cisco-nsp mailing list submissions to
	cisco-nsp at puck.nether.net 

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/cisco-nsp 
or, via email, send a message with subject or body 'help' to
	cisco-nsp-request at puck.nether.net 

You can reach the person managing the list at
	cisco-nsp-owner at puck.nether.net 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."


Today's Topics:

   1. PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c) (Stephen Fulton)
   2. RE: %BGP-3-NOTIFICATION: received from neighbor 10.1.2.3
      6/6(cease) (Harold Ritter (hritter))
   3. control plane policing feature (Francisco Rivas)
   4. Re: PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c) (gk at ax.tc)
   5. I will be out next three days. Vac. (Hansra, Surinder
(Surinder))
   6. Re: PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c)
      (Stephen Fulton)
   7. VLAN Trunking between floors (Jeff Oliver)
   8. Re: MLPPP in Cisco IOS 12.18(22)SXF (Atiqur Rahman Mohammed)


----------------------------------------------------------------------

Message: 1
Date: Tue, 20 Dec 2005 12:35:21 -0500
From: Stephen Fulton <cisco-nsp at lists.esoteric.ca>
Subject: [c-nsp] PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c)
To: cisco-nsp at puck.nether.net 
Message-ID: <43A840D9.6000602 at lists.esoteric.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi all,

I'm having a lot of difficulty getting PPPoE/RADIUS behaving properly.

Any PPPoE session that uses RADIUS as authentication fails, but I can 
authentication 7206 logins against RADIUS properly.  I believe the 
configuration is fine, but at this point I'm not sure.  Perhaps it's a

bug in that version of the IOS, I don't know.

I've included the output from "debug radius verbose" below (with some 
ppp/pppoe debugging for good measure), as well as the configuration I'm

using.

** Debugging output

Dec 20 17:02:06.035: PPPoE 0: I PADI  R:0000.24c4.ffc5 L:ffff.ffff.ffff

Fa1/0
Dec 20 17:02:06.035: PPPoE 0: O PADO, R:0000.24c4.ffc5 L:0010.54d8.141c

Fa1/0
Dec 20 17:02:06.319: PPPoE 0: I PADR  R:0000.24c4.ffc5 L:0010.54d8.141c

Fa1/0
Dec 20 17:02:06.319: PPPoE : encap string prepared
Dec 20 17:02:06.319: [15]PPPoE 15: Access IE handle allocated
Dec 20 17:02:06.319: [15]PPPoE 15: pppoe SSS switch updated
Dec 20 17:02:06.319: [15]PPPoE 15: AAA get retrieved attrs
Dec 20 17:02:06.319: [15]PPPoE 15: AAA get nas port details
Dec 20 17:02:06.319: AAA/BIND(00000011): Bind i/f Virtual-Template1
Dec 20 17:02:06.319: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:06.319: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:06.323: [15]PPPoE 15: AAA unique ID allocated
Dec 20 17:02:06.323: [15]PPPoE 15: AAA method list  set
Dec 20 17:02:06.323: [15]PPPoE 15: Service request sent to SSS
Dec 20 17:02:06.323: [15]PPPoE 15: Created  R:0010.54d8.141c 
L:0000.24c4.ffc5 Fa1/0
Dec 20 17:02:06.323: [15]PPPoE 15: State REQ_NASPORT    Event
MORE_KEYS
Dec 20 17:02:06.323: [15]PPPoE 15: O PADS  R:0000.24c4.ffc5 
L:0010.54d8.141c Fa1/0
Dec 20 17:02:06.323:  EVT: Dynamic Bind 0 0x63E05AA4
Dec 20 17:02:06.323: ppp15 PPP: Create Context 636738A4
Dec 20 17:02:06.323: ppp15 PPP: Bind SSS Dynamic
Dec 20 17:02:06.323: ppp15 PPP: Send Message[Dynamic Bind Response]
Dec 20 17:02:06.323: ppp15 EVT: Bound 4 0x00000000
Dec 20 17:02:06.323: ppp15 PPP: Using default call direction
Dec 20 17:02:06.323: ppp15 PPP: Treating connection as a dedicated
line
Dec 20 17:02:06.323: ppp15 PPP: Authorization required
Dec 20 17:02:06.323: [15]PPPoE 15: State START_PPP    Event DYN_BIND
Dec 20 17:02:06.323: [15]PPPoE 15: data path set to PPP
Dec 20 17:02:07.379: ppp15 EVT: Packet 0 0x631921F0
Dec 20 17:02:07.439: ppp15 EVT: Packet 0 0x6365823C
Dec 20 17:02:07.499: ppp15 EVT: Packet 0 0x63659424
Dec 20 17:02:07.499: AAA/AUTHEN/PPP (00000011): Pick method list
'default'
Dec 20 17:02:07.499: RADIUS/ENCODE(00000011): check username/password;
FAIL
Dec 20 17:02:07.499: RADIUS/ENCODE(00000011): send packet; FAIL
Dec 20 17:02:07.499: ppp15 EVT: AAA Response 0 0x63B97068
Dec 20 17:02:07.499: ppp15 EVT: Soft Disc 0 0x00000000
Dec 20 17:02:07.499: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:07.499: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:07.499: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:07.503: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:07.559: ppp15 EVT: Packet 0 0x63657F40
Dec 20 17:02:07.559: ppp15 LQR: LCP not open, discarding packet
Dec 20 17:02:07.587: ppp15 EVT: Auth Packet 0 0x631948BC
Dec 20 17:02:07.587: ppp15 PAP: LCP not open, discarding packet
Dec 20 17:02:07.607: ppp15 EVT: Packet 0 0x6365764C
Dec 20 17:02:07.611: ppp15 PPP: Send Message[Disconnect]
Dec 20 17:02:07.611: ppp15 EVT: Free PPP 0 0x00000000
Dec 20 17:02:07.611: [15]PPPoE 15: State LCP_NEGO    Event PPP_DISCNCT
Dec 20 17:02:07.611: [15]PPPoE 15: O PADT  R:0000.24c4.ffc5 
L:0010.54d8.141c Fa1/0
Dec 20 17:02:07.611: [15]PPPoE 15: Destroying  R:0000.24c4.ffc5 
L:0010.54d8.141c Fa1/0
Dec 20 17:02:07.611: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:07.611: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:07.611: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:07.611: [15]PPPoE 15: AAA get dynamic attrs
Dec 20 17:02:07.611: [15]PPPoE 15: AAA account stopped
Dec 20 17:02:07.687: PPPoE 15: I PADT  R:0000.24c4.ffc5
L:0010.54d8.141c 
Fa1/0



** The configuration (IP's redacted)

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname nc-frt-bas1
!
boot-start-marker
boot bootstrap disk0:/c7200-boot-mz.120-22.bin
boot system disk0:/c7200-is-mz.123-9c.bin
boot-end-marker
!
logging buffered 65536 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default line
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update periodic 240
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
no ip domain lookup
ip domain name pppoe.rtr
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
  accept-dialin
   protocol pppoe
   virtual-template 1
  pppoe limit max-sessions 1000
!
interface Loopback1
  description IP Range lockdown for pppoe assignments
  ip address xxx.xxx.xxx.xxx 255.255.255.224
!
interface FastEthernet0/0
  ip address xxx.xxx.xxx.xxx 255.255.255.240
  no ip mroute-cache
  duplex full
  media-type mii
!
interface FastEthernet1/0
  no ip address
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  duplex full
  pppoe enable
  no cdp enable
!
interface Ethernet4/0
  no ip address
  duplex half
!
interface Ethernet4/1
  no ip address
  duplex half
!
interface Ethernet4/2
  no ip address
  duplex half
!
interface Ethernet4/3
  no ip address
  duplex half
!
interface Virtual-Template1
  ip unnumbered Loopback1
  ip tcp adjust-mss 1420
  ip mroute-cache
  no peer default ip address
  ppp mtu adaptive
  ppp authentication pap
  ppp multilink
!
router ospf 1000
  log-adjacency-changes
  redistribute connected subnets
  network xxx.xxx.xxx.xxx 0.0.0.15 area 0
!
ip local pool ppp-pool1 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip classless
no ip http server
!
!
!
!
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 
radiuspassword
radius-server vsa send accounting
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
  shutdown
!
end




------------------------------

Message: 2
Date: Tue, 20 Dec 2005 13:13:10 -0500
From: "Harold Ritter \(hritter\)" <hritter at cisco.com>
Subject: RE: [c-nsp] %BGP-3-NOTIFICATION: received from neighbor
	10.1.2.3	6/6(cease)
To: "Dave Mifsud" <dave.mifsud at um.edu.mt>, <cisco-nsp at puck.nether.net>
Message-ID:
	<F4469404D9886545AD22355D96D8620FE3A751 at xmb-rtp-20a.amer.cisco.com>
Content-Type: text/plain;	charset="us-ascii"

Dave,

This is due to the neighbor explicitly resetting the session according
to draft ietf-idr-cease-subcode.

http://www.ietf.org/internet-drafts/draft-ietf-idr-cease-subcode-06.txt


Subcode 6 is described as "Other Configuration Change". You should
check
with the other vendor why they are resetting the session with that
subcode. 

Harold,

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dave Mifsud
Sent: Monday, December 19, 2005 10:15 AM
To: cisco-nsp at puck.nether.net 
Subject: [c-nsp] %BGP-3-NOTIFICATION: received from neighbor 10.1.2.3
6/6(cease)

Hi all,

We have just changed one of our links to a new router, with IOS
12.2(17r)S2.

Am getting frequent BGP "resets" in the logs, such as the excerpt
below.

Would anyone know the reason for this?

Thanks in advance,

Dave

.Dec 19 15:43:45 CET: %BGP-3-NOTIFICATION: received from neighbor
10.1.2.3 6/6 (cease) 0 bytes
.Dec 19 15:43:45 CET: %BGP-5-ADJCHANGE: neighbor 10.1.2.3 vpn vrf inet
Down BGP Notification received .Dec 19 15:43:47 CET: %BGP-5-ADJCHANGE:
neighbor 10.1.2.3 vpn vrf inet Up .Dec 19 15:45:44 CET:
%BGP-3-NOTIFICATION: received from neighbor
62.40.103.157 6/6 (cease) 0 bytes
.Dec 19 15:45:44 CET: %BGP-5-ADJCHANGE: neighbor 10.1.2.3 vpn vrf inet
Down BGP Notification received .Dec 19 15:45:47 CET: %BGP-5-ADJCHANGE:
neighbor 10.1.2.3 vpn vrf inet Up .Dec 19 15:48:19 CET:
%BGP-5-ADJCHANGE: neighbor 10.1.2.3 vpn vrf inet Down Peer closed the
session .Dec 19 15:48:21 CET: %BGP-5-ADJCHANGE: neighbor 10.1.2.3 vpn
vrf inet Up

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp 
archive at http://puck.nether.net/pipermail/cisco-nsp/ 



------------------------------

Message: 3
Date: Tue, 20 Dec 2005 15:23:47 -0300
From: Francisco Rivas <frivas at lanparty.cl>
Subject: [c-nsp] control plane policing feature
To: cisco-nsp at puck.nether.net
Message-ID: <1135103027.17569.36.camel at atlas.ifxnw.cl>
Content-Type: text/plain

Hi all,

I'm testing the control plane policing on a Cisco 7206
(http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html)
and I've found certain things that don't fit, and I hope that someone
here can give me a hand here. In the URL, there is an example that
shows
how to configure a couple of trusted networks to reach the router thru
ICMP, and all the remaining ICMP traffic should be dropped. The
example
goes like this:

! Allow 3.3.3.0 trusted network traffic.
Router(config)# access-list 141 deny icmp host 3.3.3.0 0.0.0.255 any
port-unreachable ! Allow 4.4.4.0 trusted network traffic.
Router(config)# access-list 141 deny icmp host 4.4.4.0 0.0.0.255 any
port-unreachable ! Rate limit all other ICMP traffic. Router(config)#
access-list 141 permit icmp any any port-unreachable Router(config)#
class-map icmp-class Router(config-cmap)# match access-group 141
Router(config-cmap)# exit Router(config)# policy-map
control-plane-out-policy ! Drop all traffic that matches the class
"icmp-class." Router(config-pmap)# class icmp-class
Router(config-pmap-c)# drop Router(config-pmap-c)# exit
Router(config-pmap)# exit Router(config)# control-plane ! Define
aggregate control plane service for the active route processor.
Router(config-cp)# service-policy output control-plane-policy
Router(config-cp)# exit


First of all, I've tried some IOS versions, and the only one that I've
found
with the "drop" feature inside the class (in this case, "class
icmp-class")
is 12.4(3b) (service provider). I've tried 12.0(31)S2, 12.2(25)S7 and
12.3(14)T5, and they didn't have the "drop" command. I'm running
12.2(18)S4 on a 7206vxr with NPE-G1, and I want to stay on the 12.2
train for now (by the way, 12.2(18)S4 is giving me some memory issues
right now.. soon I'll write another mail about that). Is the "drop"
command exclusive
to the 12.4 train???
Another thing, in the example, they want to ALLOW the ICMP traffic from
both networks,
so why they are DENIED on the config???? (access-list 141 deny icmp
...)
I've tried this exact example (changing the ip addresses only), and
obviously they didn't work. I've reversed the access-list (permit for
the networks, then DENY any), and it worked as I expected. Is this a
bug
on the example, or something changed on 12.4 train??

And, for last, anyone has real-world experience with this control plane
policing feature??
does it works as expected???? any word about this will be very
appreciated :)

Thanks a lot for your help!!!


Regards,


-- 
Francisco Rivas Catalan
Senior Network Engineer
IFX Networks
(56) 2 3744574
francisco.rivas at ifxnw.cl 




------------------------------

Message: 4
Date: Tue, 20 Dec 2005 21:22:30 +0100
From: gk at ax.tc 
Subject: Re: [c-nsp] PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c)
To: cisco-nsp at puck.nether.net 
Message-ID: <200512202122.31196.gk at ax.tc>
Content-Type: text/plain;  charset="iso-8859-1"

Hi,

you have referenced the AAA server group called 'radius**'...

> aaa authentication ppp default group radius**
> aaa authorization network default group radius**

...but I miss the definition of that group in your config. Your 
"radius-server" configurations in the end of the config will not be 
used automagically. Try adding something like this:

!
aaa group server radius* radius**
 server x.x.x.x ...
 server y.y.y.y ...
 ...
!

*)  type
**) your group name ;-)


 -Gerald


------------------------------

Message: 5
Date: Tue, 20 Dec 2005 13:00:15 -0800
From: "Hansra, Surinder (Surinder)" <shansra at lucent.com>
Subject: [c-nsp] I will be out next three days. Vac.
To: "Cisco user group (E-mail)" <cisco-nsp at puck.nether.net>
Message-ID:
	<4B0AF7152DB2544797101DF15EC58EE90489816E at ca8524exch001u.sv.lucent.com>
	
Content-Type: text/plain;	charset="iso-8859-1"

I will be out next three days. Will be back Monday.


------------------------------

Message: 6
Date: Tue, 20 Dec 2005 17:14:47 -0500
From: Stephen Fulton <cisco-nsp at lists.esoteric.ca>
Subject: Re: [c-nsp] PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c)
To: cisco-nsp at puck.nether.net 
Message-ID: <43A88257.9090607 at lists.esoteric.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

gk at ax.tc wrote:

Thanks for pointing that out Gerald, I had removed it from the config
in 
a previous attempt.  FWIW, I did add it again, but the result is still

the same.  I will continue to persevere!

-- Stephen



> Hi,
> 
> you have referenced the AAA server group called 'radius**'...
> 
>> aaa authentication ppp default group radius**
>> aaa authorization network default group radius**
> 
> ...but I miss the definition of that group in your config. Your 
> "radius-server" configurations in the end of the config will not be 
> used automagically. Try adding something like this:
> 
> !
> aaa group server radius* radius**
>  server x.x.x.x ...
>  server y.y.y.y ...
>  ...
> !
> 
> *)  type
> **) your group name ;-)
> 
> 
>  -Gerald
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 



------------------------------

Message: 7
Date: Tue, 20 Dec 2005 18:02:48 -0800
From: Jeff Oliver <angryflower at gmail.com>
Subject: [c-nsp] VLAN Trunking between floors
To: cisco-nsp at puck.nether.net 
Message-ID:
	<5d334a2d0512201802v3e9b9741t5b50848c4949f4c8 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

We are wondering how everyone might go about tackling this issue:

We have an Extreme 6808 switch currently handling all our traffic,
connected
thru fibre to ISP in their datacenter.  Switch uses Extremeware and
the
VLAN's are Extreme proprietary VLAN's, that is not specifically
802.1qtagged VLAN's.

We are moving to another floor of this datacenter and have purchased
Cisco
3750's to handle switching in the new cage.  We have already decided to
go
with 802.1q VLAN's right off the bat and have designated their VLAN
ID's
accordingly.

The new VLAN's exist logically on the Extremes but not in the 802.1q
format
- we can however add 802.1q tags to the Extreme VLAN''s without
affecting
anything.

Where we get confused is when we want to hook a line between floors
with the
entire current setup actually running thru a fibre line up to the new
Cisco
gear and then out to the ISP's gear.  We're hoping we can then move
load
balanced gear in a staggered fashion without any downtime - that is,
the new
load balancer hooked to the Cisco (another trunk port) will be able to
see
pool members on the old floor cage thru the magic of VLAN tagging and
trunks.

My thinking is that we take a GBIC on the extreme and hook the
inter-floor
line to the Cisco, and then set up an 802.1q trunk with the Cisco, the
Cisco
will then see the traffic thru the Extreme and understand the tags as
it is
configured at that point to have the same VLAN data.  We then move the
upstream ISP connection to the external, net VLAN off the Cisco and
the
Extreme re-arps and finds it's old gateway (the ISP gear) by going
through
the Cisco.

My question is basically, am I on the right track?  Are there any
obvious
gotcha's or has anyone done anything like this?

Thanks for any thoughts.


------------------------------

Message: 8
Date: Wed, 21 Dec 2005 11:19:11 +0530
From: Atiqur Rahman Mohammed <atiqurrahman.mohammed at gmail.com>
Subject: Re: [c-nsp] MLPPP in Cisco IOS 12.18(22)SXF
To: David Prall <dcp at dcptech.com>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID:
	<84a06f400512202149v677cbfa5v9fd2ce25a7abb8e at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

HI David
No, I have not loaded the package.
Can you tell the procedure to load the respective WAN interface
bundle.
Also please specify the link where i can get the package.

Regards,
Atiqur Rahman
Infocomm Technology Cente
Reliance Infocomm
Mobile: 09324621784

On 12/20/05, David Prall <dcp at dcptech.com> wrote:
> Atiqur,
> Did you also load the respective WAN interface bundle.
> c7600-fpd-pkg.122-18.SXF.pkg
>
> David
>
> --
> David C Prall dcp at dcptech.com http://dcp.dcptech.com 
>
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net 
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> > Atiqur Rahman Mohammed
> > Sent: Tuesday, December 20, 2005 7:50 AM
> > To: cisco-nsp
> > Subject: [c-nsp] MLPPP in Cisco IOS 12.18(22)SXF
> >
> > We have performed a software upgrade of Cisco 7609 from s72033-psv
> > -mz-122-18.SXD4  to  s72033-ipservices_wan-mz.122-18.SXF.
> >
> > However, as soon as the software upgrade is complete, the ML PPP
> > Interface goes down.
> >
> > Is there any compatibility issues with the new IOS ? After we
reverted
> > back to the previous release, it has started working fine. Kindly
> > provide clarification/resolution for the same.
> >
> > --
> > Regards,
> > Atiqur Rahman
> > Infocomm Technology Cente
> > Reliance Infocomm
> > Mobile: 09324621784
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp 
> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> >
>
>



------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp 


End of cisco-nsp Digest, Vol 37, Issue 69
*****************************************


More information about the cisco-nsp mailing list