[c-nsp] PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c)
Raj Panchal
raj.panchal at vsnl.co.in
Sun Dec 25 02:11:02 EST 2005
Configure following command.
vpdn domain-delimiter % suffix
Seems your box is sending domain name for auth for the first time and then
actual user name
Try login test using following command :
Test aaa group radius <username> <password> legacy
Capture the output
Try enabling local authentication for PPP , remove radius authentication ,
try the above command if it works then try logging in with following debug
enabled
Debug radius
And paste the output back in mail .. if issue continues
raj
_____
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephen Fulton
Sent: Thursday, December 22, 2005 11:41 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PPPoE/RADIUS with 7206/NPE-200 and IOS 12.3(9c)
Hello again all,
Taking into account the advice of Robert, Gerald, Oliver, Dean and
Alexandre, I've experimented with different variations. I was able to
have the router verify against the radius server, and I discovered what
one of the issues was. Unfortunately I've hit another brick wall, and
after more attempts, and much reading of lists and Cisco's site, I'm
still stuck. Here is what is occurring:
1. The 7206 authenticates a user "domain.com/cisco" against the radius
server, which fails. Why this is happening, I do not understand. I
can't see a reason in either the documentation I've consulted or my own
understanding of the entire process. Any pointers on this one would be
appreciated.
2. It then attempts to authenticate the PPPoE user, which succeeds. No
IP address is assigned from the pool I've created, and the PPPoE
session disconnects after a moment.
3. Debugging show that while the PPPoE user authenticates correctly,
there is an unknown AUTH attempt by the Virtual-Access3 interface which
fails and (I believe) causes the disconnection. Again, no IP from the
configured IP pool has been assigned.
I've included the debug output and my latest configuration below:
Here's my latest debug:
>> START DEBUG
Dec 22 17:52:51.700: PPPoE 0: I PADI R:0000.24c4.ffc5 L:ffff.ffff.ffff
Fa1/0
Dec 22 17:52:51.700: PPPoE 0: O PADO, R:0000.24c4.ffc5 L:0010.54d8.141c
Fa1/0
Dec 22 17:52:51.984: PPPoE 0: I PADR R:0000.24c4.ffc5 L:0010.54d8.141c
Fa1/0
Dec 22 17:52:51.984: PPPoE : encap string prepared
Dec 22 17:52:51.984: [14]PPPoE 14: Access IE handle allocated
Dec 22 17:52:51.984: [14]PPPoE 14: pppoe SSS switch updated
Dec 22 17:52:51.984: [14]PPPoE 14: AAA get retrieved attrs
Dec 22 17:52:51.984: [14]PPPoE 14: AAA get nas port details
Dec 22 17:52:51.984: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:52:51.984: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:52:51.984: AAA/ACCT/EVENT/(00000011): CALL START
Dec 22 17:52:51.984: [14]PPPoE 14: AAA unique ID allocated
Dec 22 17:52:51.988: AAA/ACCT/SETMLIST(00000011): Handle 0, mlist
63517D5C, Name default
Dec 22 17:52:51.988: AAA/ACCT(00000011): Type NET: Periodic timer
initialized
Dec 22 17:52:51.988: [14]PPPoE 14: AAA method list set
Dec 22 17:52:51.988: [14]PPPoE 14: Service request sent to SSS
Dec 22 17:52:51.988: [14]PPPoE 14: Created R:0010.54d8.141c
L:0000.24c4.ffc5 Fa1/0
Dec 22 17:52:51.988: AAA/ACCT/EVENT/(00000011): ATTR REPLACE
Dec 22 17:52:51.988: [14]PPPoE 14: State REQ_NASPORT Event MORE_KEYS
Dec 22 17:52:51.988: [14]PPPoE 14: O PADS R:0000.24c4.ffc5
L:0010.54d8.141c Fa1/0
Dec 22 17:52:51.988: EVT: Dynamic Bind 0 0x63FF9A1C
Dec 22 17:52:51.988: ppp14 EVT: Bound 4 0x00000000
Dec 22 17:52:51.988: AAA/ACCT/SETMLIST(00000011): Handle 0, mlist
63517D5C, Name default
Dec 22 17:52:51.988: [14]PPPoE 14: State START_PPP Event DYN_BIND
Dec 22 17:52:51.988: [14]PPPoE 14: data path set to PPP
Dec 22 17:52:53.035: ppp14 EVT: Packet 0 0x63659CD8
Dec 22 17:52:53.099: ppp14 EVT: Packet 0 0x63658AF0
Dec 22 17:52:53.099: RADIUS/ENCODE(00000011): check username/password; FAIL
Dec 22 17:52:53.099: RADIUS/ENCODE(00000011): send packet; FAIL
Dec 22 17:52:53.099: ppp14 EVT: AAA Response 0 0x63E74E90
Dec 22 17:52:53.131: ppp14 EVT: Packet 0 0x636590E8
Dec 22 17:52:53.147: ppp14 EVT: Auth Packet 0 0x631921F0
Dec 22 17:52:53.151: ppp14 EVT: Hook 1 0x00000000
Dec 22 17:52:53.151: RADIUS/ENCODE(00000011):Orig. component type = PPoE
Dec 22 17:52:53.151: RADIUS: AAA Unsupported Attr: interface
[153] 7
Dec 22 17:52:53.151: RADIUS: 31 2F 30 2F 30
[1/0/0]
Dec 22 17:52:53.151: RADIUS(00000011): Storing nasport 0 in rad_db
Dec 22 17:52:53.151: RADIUS(00000011): Config NAS IP: xxx.xxx.xxx.xxx
Dec 22 17:52:53.151: RADIUS/ENCODE(00000011): acct_session_id: 17
Dec 22 17:52:53.151: RADIUS(00000011): sending
Dec 22 17:52:53.151: RADIUS(00000011): Send Access-Request to
xxx.xxx.xxx.xxx:1812 id 1645/24, len 77
Dec 22 17:52:53.151: RADIUS: authenticator D3 0F 3D 7F F1 1F 41 19 - 85
65 1E 7C 97 F4 8F 4A
Dec 22 17:52:53.151: RADIUS: User-Name [1] 15 "domain.com"
Dec 22 17:52:53.151: RADIUS: User-Password [2] 18 *
Dec 22 17:52:53.151: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
Dec 22 17:52:53.151: RADIUS: NAS-Port [5] 6 0
Dec 22 17:52:53.151: RADIUS: Service-Type [6] 6 Outbound
[5]
Dec 22 17:52:53.151: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Dec 22 17:52:55.171: RADIUS: Received from id 1645/24
xxx.xxx.xxx.xxx:1812, Access-Reject, len 20
Dec 22 17:52:55.171: RADIUS: authenticator 15 92 F3 93 16 85 E4 E3 - 2E
A4 10 08 C0 18 C9 F7
Dec 22 17:52:55.171: RADIUS(00000011): Received from id 1645/24
Dec 22 17:52:55.175: ppp14 EVT: Hook 1 0x00000000
Dec 22 17:52:55.175: ppp14 EVT: Forwarded 0 0x00000000
Dec 22 17:52:55.175: RADIUS/ENCODE(00000011):Orig. component type = PPoE
Dec 22 17:52:55.175: RADIUS: AAA Unsupported Attr: interface
[153] 7
Dec 22 17:52:55.175: RADIUS: 31 2F 30 2F 30
[1/0/0]
Dec 22 17:52:55.175: RADIUS(00000011): Using existing nas_port 0
Dec 22 17:52:55.175: RADIUS(00000011): Config NAS IP: xxx.xxx.xxx.xxx
Dec 22 17:52:55.175: RADIUS/ENCODE(00000011): acct_session_id: 17
Dec 22 17:52:55.175: RADIUS(00000011): sending
Dec 22 17:52:55.175: RADIUS(00000011): Send Access-Request to
xxx.xxx.xxx.xxx:1812 id 1645/25, len 91
Dec 22 17:52:55.175: RADIUS: authenticator 99 EC F0 28 0F AB 53 A2 - 9B
F5 BF 17 AF 03 74 68
Dec 22 17:52:55.175: RADIUS: Framed-Protocol [7] 6 PPP
[1]
Dec 22 17:52:55.175: RADIUS: User-Name [1] 23
"test at domain.com"
Dec 22 17:52:55.175: RADIUS: User-Password [2] 18 *
Dec 22 17:52:55.175: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
Dec 22 17:52:55.175: RADIUS: NAS-Port [5] 6 0
Dec 22 17:52:55.175: RADIUS: Service-Type [6] 6 Framed
[2]
Dec 22 17:52:55.175: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Dec 22 17:52:55.183: RADIUS: Received from id 1645/25
205.207.122.33:1812, Access-Accept, len 50
Dec 22 17:52:55.183: RADIUS: authenticator 5A B4 1E 4F 0A C2 CC 38 - CB
9D 1A 08 2F AE FC 73
Dec 22 17:52:55.183: RADIUS: Service-Type [6] 6 Framed
[2]
Dec 22 17:52:55.183: RADIUS: Framed-Protocol [7] 6 PPP
[1]
Dec 22 17:52:55.183: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255
Dec 22 17:52:55.183: RADIUS: Framed-IP-Address [8] 6 255.255.255.254
Dec 22 17:52:55.183: RADIUS: Framed-Compression [13] 6 VJ TCP/IP
Header Compressi[1]
Dec 22 17:52:55.183: RADIUS(00000011): Received from id 1645/25
Dec 22 17:52:55.183: ppp14 EVT: AAA Response 0 0x63E74E90
Dec 22 17:52:55.187: ppp14 EVT: Hook 1 0x00000000
Dec 22 17:52:55.187: [14]PPPoE 14: State LCP_NEGO Event PPP_LOCAL
Dec 22 17:52:55.187: PPPoE 14: Can not use sub-interface
Dec 22 17:52:55.187: Vi3 Debug: Condition 1, interface Vt1 triggered,
count 2
Dec 22 17:52:55.191: Vi3 EVT: Setup 0 0x00000000
Dec 22 17:52:55.191: [14]PPPoE 14: State CREATE_VA Event VA_RESP
Dec 22 17:52:55.191: [14]PPPoE 14: Vi3 interface obtained
Dec 22 17:52:55.191: EVT: Static Bind 0 0x63FF9A1C
Dec 22 17:52:55.191: Vi3 EVT: Free PPP 0 0x00000000
Dec 22 17:52:55.191: [14]PPPoE 14: State PTA_BIND Event STAT_BIND
Dec 22 17:52:55.191: [14]PPPoE 14: data path set to Virtual Acess
Dec 22 17:52:55.191: [14]PPPoE 14: Connected PTA
Dec 22 17:52:55.195: %LINK-3-UPDOWN: Interface Virtual-Access3, changed
state to up
Dec 22 17:52:55.195: Vi3 EVT: Hook 1 0x00000000
Dec 22 17:52:55.195: Vi3 EVT: Forwarded 0 0x00000000
Dec 22 17:52:55.195: Vi3 AAA/AUTHOR/LCP: Process Author
Dec 22 17:52:55.195: Vi3 AAA/AUTHOR/LCP: Process Attr: service-type
Dec 22 17:52:55.195: Vi3 AAA/AUTHOR/LCP: Process Attr: link-compression
Dec 22 17:52:55.195: Vi3 AAA/AUTHOR/LCP: IF_config:
ip tcp header-compression
Dec 22 17:52:55.195: Vi3 PAP: O AUTH-ACK id 1 len 5
Dec 22 17:52:56.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access3, changed state to up
Dec 22 17:53:03.099: Vi3 AUTH: Timeout 1
Dec 22 17:53:13.115: Vi3 AUTH: Timeout 2
Dec 22 17:53:23.131: Vi3 AUTH: Timeout 3
Dec 22 17:53:23.151: Vi3 EVT: Packet 0 0x631924EC
Dec 22 17:53:33.147: Vi3 AUTH: Timeout 4
Dec 22 17:53:43.163: Vi3 AUTH: Timeout 5
Dec 22 17:53:53.175: Vi3 EVT: Packet 0 0x63194BB8
Dec 22 17:53:53.179: Vi3 AUTH: Timeout 6
Dec 22 17:54:03.195: Vi3 AUTH: Timeout 7
Dec 22 17:54:13.211: Vi3 AUTH: Timeout 8
Dec 22 17:54:23.202: Vi3 EVT: Packet 0 0x631930DC
Dec 22 17:54:23.226: Vi3 AUTH: Timeout 9
Dec 22 17:54:33.242: Vi3 AUTH: Timeout 10
Dec 22 17:54:43.258: Vi3 AUTH: Timeout 11
Dec 22 17:54:43.258: Vi3 EVT: Soft Disc 0 0x00000000
Dec 22 17:54:43.258: AAA/ACCT/SETMLIST(00000011): Handle 0, mlist
63517D5C, Name default
Dec 22 17:54:43.258: AAA/ACCT/EVENT/(00000011): NET DOWN
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: [14]PPPoE 14: AAA get dynamic attrs
Dec 22 17:54:43.258: AAA/ACCT/EVENT/(00000011): CALL STOP
Dec 22 17:54:43.318: Vi3 EVT: Packet 0 0x63195DA0
Dec 22 17:54:43.318: Vi3 EVT: Free PPP 0 0x00000000
Dec 22 17:54:43.318: [14]PPPoE 14: State CNCT_PTA Event PPP_DISCNCT
Dec 22 17:54:43.318: [14]PPPoE 14: O PADT R:0000.24c4.ffc5
L:0010.54d8.141c Fa1/0
Dec 22 17:54:43.318: [14]PPPoE 14: Destroying R:0000.24c4.ffc5
L:0010.54d8.141c Fa1/0
Dec 22 17:54:43.318: PPPoE: Returning Vaccess Virtual-Access3
Dec 22 17:54:43.318: AAA/ACCT/EVENT/(00000011): NET DOWN
Dec 22 17:54:43.318: [14]PPPoE 14: AAA account stopped
Dec 22 17:54:43.322: %LINK-3-UPDOWN: Interface Virtual-Access3, changed
state to down
Dec 22 17:54:43.394: PPPoE 14: I PADT R:0000.24c4.ffc5 L:0010.54d8.141c
Fa1/0
Dec 22 17:54:44.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access3, changed state to down
Dec 22 17:54:44.258: Vi3 Debug: Condition 1, interface Vt1 cleared, count 1
<< END DEBUG
Now the configuration:
>> START CONFIG:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname nc-frt-bas1
!
boot-start-marker
boot bootstrap disk0:/c7200-boot-mz.120-22.bin
boot system disk0:/c7200-is-mz.123-9c.bin
boot-end-marker
!
logging buffered 65536 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius tor-radius
server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
server-private xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key
<password>
ip radius source-interface FastEthernet0/0
!
aaa authentication login default line
aaa authentication ppp default group tor-radius
aaa authorization network default group tor-radius
aaa accounting update periodic 240
aaa accounting network default start-stop group tor-radius
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
no ip domain lookup
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
description PPPoE
accept-dialin
protocol pppoe
virtual-template 1
pppoe limit max-sessions 1000
!
interface Loopback1
description IP Range lockdown for pppoe assignments
ip address xxx.xxx.xxx.xxx 255.255.255.224
!
interface FastEthernet0/0
ip address xxx.xxx.xxx.xxx 255.255.255.240
no ip mroute-cache
duplex full
media-type mii
!
interface FastEthernet1/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex full
pppoe enable
no cdp enable
!
interface Virtual-Template1
ip unnumbered Loopback1
ip tcp adjust-mss 1420
ip mroute-cache
peer default ip address pool pppoepool
ppp max-bad-auth 3
ppp mtu adaptive
ppp authentication pap
!
!
ip local pool pppoepool 192.168.100.130 198.168.100.150
ip classless
no ip http server
!
dial-peer cor custom
!
gatekeeper
shutdown
!
>> END CONFIG
Thanks again.
-- Stephen
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Disclaimer note on content of this message including enclosure(s) and attachments(s): The contents of this e-mail are the privileged and confidential material of VSNL. The information is solely intended for the individual/entity it is addressed to. If you are not the intended recipient of this message, please be aware that you are not authorized in any which way whatsoever to read, forward, print, retain, copy or disseminate this message or any part of it. We apologize if you have received this e-mail in error and would request you to please notify the sender immediately by return e-mail and delete it from your computer. The views expressed in this e-mail message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of VSNL. This e-mail message including attachment(s), if any, is believed to be free of any virus and VSNL is not responsible for any loss or damage arising in any way from its use
More information about the cisco-nsp
mailing list