[c-nsp] Need BellSouth BBG Configuration using MS IAS Radius and Static IP

Jon M. Duren jduren at idleaire.com
Wed Oct 4 17:01:34 EDT 2006 

We are converting from BellSouth's atm pvc method of providing DSL to
the new BBG setup.  While we are an ISP, our setup would be similar to
an enterprise using DSL to connect remote offices, as many of our
customers have point-to-point networks across their wan interfaces, and
IP subnets routed to their routers.  The desire is to move to utilizing
radius, particularly Microsoft IAS, to provide the router with the WAN
IP and the subnet to route to the remote location.  

 

Our setup is a Cisco 2811 router with an AIM-ATM card, and a
VWIC-2MFT-T1.   The BBG circuit is provided over a DS1 carrier.  

Microsoft IAS is setup as our radius server and the appears the
communication between the router and radius server is functional.
Several users have been setup on the local Microsoft server, som with
appropriate static IPs and others with static IP's and routed subnets. 

 

Debugging in the router shows that the appropriate static IP and network
subnet are being properly sent along with the approval for the username
password combo via radius to the router, however the Cisco is not
applying the information to the IP PPP session.  

Please see the attached router debugging below:

 

The incoming connection gets authenticated appropriately, but does not
get the IP applied, so the connection fails after a short period of time
and continually attempts to reconnect.   

 

If a local IP pool "localpool" is configured into the router and the
"peer default ip address pool localpool" is added to the
virtual-template interface, the router will assign the incoming call an
IP from the local pool after the username is authenticated through
radius, even though it is getting a static IP assignment from the radius
server.  In this scenario, the remote router accepts the IP and the
connection is fully established. 

 

I am looking for some help with getting a cisco router to accept the
specific information from a Microsoft Radius server and apply it during
the ppp negotiation phase of the circuit establishment.  The router
configuration we currently have in place is listed at the bottom.   Any
additional suggestions to improve or optimize the config would be
appreciated.

 

An excerpt from the radius debugging on the router

 

 

*Oct  4 20:02:17.676: ppp509 PAP: I AUTH-REQ id 1 len 40 from
"user at user.com"

*Oct  4 20:02:17.676: ppp509 PAP: Authenticating peer user at user.com

*Oct  4 20:02:17.676: ppp509 PPP: Sent PAP LOGIN Request

*Oct  4 20:02:17.676: RADIUS/ENCODE(00000218):Orig. component type =
VPDN

*Oct  4 20:02:17.680: RADIUS:  AAA Unsupported Attr: interface
[157] 15

*Oct  4 20:02:17.680: RADIUS:   55 6E 69 71 2D 53 65 73 73 2D 49 44 35
[Uniq-Sess-ID5]

*Oct  4 20:02:17.680: RADIUS(00000218): Config NAS IP: 0.0.0.0

*Oct  4 20:02:17.680: RADIUS/ENCODE(00000218): acct_session_id: 538

*Oct  4 20:02:17.680: RADIUS(00000218): sending

*Oct  4 20:02:17.680: RADIUS/ENCODE: Best Local IP-Address 10.1.1.1 for
Radius-Server 172.16.48.2

*Oct  4 20:02:17.680: RADIUS(00000218): Send Access-Request to
172.16.48.2:1645 id 1645/138, len 113

*Oct  4 20:02:17.680: RADIUS:  authenticator FD 02 72 0A 10 44 0E 1B -
7C E1 FC 78 1D A9 30 0E

*Oct  4 20:02:17.680: RADIUS:  Framed-Protocol     [7]   6   PPP
[1]

*Oct  4 20:02:17.680: RADIUS:  User-Name           [1]   11  "user"

*Oct  4 20:02:17.680: RADIUS:  User-Password       [2]   18  *

*Oct  4 20:02:17.680: RADIUS:  NAS-Port-Type       [61]  6   Virtual
[5]

*Oct  4 20:02:17.680: RADIUS:  NAS-Port            [5]   6   509

*Oct  4 20:02:17.680: RADIUS:  NAS-Port-Id         [87]  17
"Uniq-Sess-ID509"

*Oct  4 20:02:17.680: RADIUS:  Calling-Station-Id  [31]  17
"bellsouthbbg-routerid"

*Oct  4 20:02:17.680: RADIUS:  Service-Type        [6]   6   Framed
[2]

*Oct  4 20:02:17.680: RADIUS:  NAS-IP-Address      [4]   6   10.1.1.1

*Oct  4 20:02:17.684: RADIUS: Received from id 1645/138
172.16.48.2:1645, Access-Accept, len 126

*Oct  4 20:02:17.684: RADIUS:  authenticator DD BC F7 DC E4 65 CE A1 -
D1 0B 8C FE 61 60 A3 E5

*Oct  4 20:02:17.684: RADIUS:  Vendor, Cisco       [26]  34

*Oct  4 20:02:17.684: RADIUS:   Cisco AVpair       [1]   28
"ip:dns-servers=172.16.16.4"

*Oct  4 20:02:17.684: RADIUS:  Framed-Protocol     [7]   6   PPP
[1]

*Oct  4 20:02:17.684: RADIUS:  Service-Type        [6]   6   Framed
[2]

*Oct  4 20:02:17.684: RADIUS:  Framed-IP-Address   [8]   6   10.3.2.10

*Oct  4 20:02:17.684: RADIUS:  Framed-Route        [22]  22  "2.3.8.0/24
0.0.0.0 1   ###Note - a fake route we were testing with

*Oct  4 20:02:17.684: RADIUS:  Class               [25]  32

*Oct  4 20:02:17.684: RADIUS:   4D F0 05 D1 00 00 01 37 00 01 41 DC 0F
0A 01 C6  [M??????7??A?????]

*Oct  4 20:02:17.684: RADIUS:   E2 03 27 E9 FA 64 00 00 00 00 00 00 05
42        [??'??d???????B]

*Oct  4 20:02:17.688: RADIUS(00000218): Received from id 1645/138

*Oct  4 20:02:17.688: ppp509 PPP: Received LOGIN Response PASS

*Oct  4 20:02:17.708: %LINK-3-UPDOWN: Interface Virtual-Access5, changed
state to up

*Oct  4 20:02:17.708: Vi5 PAP: O AUTH-ACK id 1 len 5

*Oct  4 20:02:18.708: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access5, changed state to up

 

###The following is output of show users for a connection that did not
get an IP accept the IP from the radius server.

 

router#show users

 

  Interface    User               Mode               Idle
Peer Address

  Vi5          user at user.co  PPPoVPDN     00:00:07

 

 

 

version 12.4

!

Hostname nsp-router

!

boot-start-marker

boot-end-marker

!

logging buffered 8192 debugging

enable password 7 #######

!

aaa new-model

!

!

aaa authentication ppp default group radius

aaa accounting delay-start

aaa accounting network default start-stop group radius

!

aaa session-id common

network-clock-participate wic 0

no network-clock-participate aim 0

network-clock-select 1 T1 0/0/0

no ip source-route

ip icmp rate-limit unreachable 2000

!

!

ip cef

!

!

ip address-pool local

vpdn enable

!

vpdn-group 1

 accept-dialin

  protocol any

  virtual-template 1

 terminate-from hostname bellsouthbbg-routerid

 

local name BBG-Gateway

 lcp renegotiation always

 l2tp tunnel password 7 ########

!

!

controller T1 0/0/0

 mode atm aim 0

 framing esf

 linecode b8zs

!

controller T1 0/0/1

 shutdown

 framing esf

 linecode b8zs

!

!!

interface Loopback1

 ip address 10.3.2.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface ATM0/0/0

 no ip address

 no ip route-cache cef

 no ip route-cache

 no scrambling-payload

 no atm ilmi-keepalive

 pvc 0/16 ilmi

 !

!

interface ATM0/0/0.1 point-to-point

 ip address  <IP Provided by BellSouth>

 no ip route-cache

 no snmp trap link-status

 pvc 4/36

  encapsulation aal5autoppp Virtual-Template1

 !

!

interface Virtual-Template1

 description BellSouth BBG connection

 mtu 1492

 ip unnumbered Loopback1

 no ip route-cache cef

 peer pool static

 no peer default ip address

 keepalive 200

 ppp authentication pap

 ppp ipcp dns 172.16.4.4

 ppp ipcp ignore-map

 ppp ipcp predictive

 ppp ipcp address accept

!

ip local pool default 10.3.2.34 10.3.2.60

ip route 0.0.0.0 0.0.0.0 10.1.1.254

no ip http server

no ip http secure-server

!!

!

radius-server host 172.16.48.2 auth-port 1645 acct-port 1646 key 7
#########

radius-server domain-stripping

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

 exec-timeout 30 0

 password 7 ###########

!

scheduler allocate 20000 1000

!

end

More information about the cisco-nsp mailing list