[c-nsp] Need BellSouth BBG Configuration using MS IAS Radius and Static IP

Tassos Chatzithomaoglou achatz at forthnet.gr
Thu Oct 5 00:30:52 EDT 2006 

Hi Jon,

I think you're missing something like:

aaa authorization network default group radius

Regards,
Tassos

Jon M. Duren wrote on 5/10/2006 12:01 πμ:
> We are converting from BellSouth's atm pvc method of providing DSL to
> the new BBG setup.  While we are an ISP, our setup would be similar to
> an enterprise using DSL to connect remote offices, as many of our
> customers have point-to-point networks across their wan interfaces, and
> IP subnets routed to their routers.  The desire is to move to utilizing
> radius, particularly Microsoft IAS, to provide the router with the WAN
> IP and the subnet to route to the remote location.  
> 
>  
> 
> Our setup is a Cisco 2811 router with an AIM-ATM card, and a
> VWIC-2MFT-T1.   The BBG circuit is provided over a DS1 carrier.  
> 
> Microsoft IAS is setup as our radius server and the appears the
> communication between the router and radius server is functional.
> Several users have been setup on the local Microsoft server, som with
> appropriate static IPs and others with static IP's and routed subnets. 
> 
>  
> 
> Debugging in the router shows that the appropriate static IP and network
> subnet are being properly sent along with the approval for the username
> password combo via radius to the router, however the Cisco is not
> applying the information to the IP PPP session.  
> 
> Please see the attached router debugging below:
> 
>  
> 
> The incoming connection gets authenticated appropriately, but does not
> get the IP applied, so the connection fails after a short period of time
> and continually attempts to reconnect.   
> 
>  
> 
> If a local IP pool "localpool" is configured into the router and the
> "peer default ip address pool localpool" is added to the
> virtual-template interface, the router will assign the incoming call an
> IP from the local pool after the username is authenticated through
> radius, even though it is getting a static IP assignment from the radius
> server.  In this scenario, the remote router accepts the IP and the
> connection is fully established. 
> 
>  
> 
> I am looking for some help with getting a cisco router to accept the
> specific information from a Microsoft Radius server and apply it during
> the ppp negotiation phase of the circuit establishment.  The router
> configuration we currently have in place is listed at the bottom.   Any
> additional suggestions to improve or optimize the config would be
> appreciated.
> 
>  
> 
> An excerpt from the radius debugging on the router
> 
>  
> 
>  
> 
> *Oct  4 20:02:17.676: ppp509 PAP: I AUTH-REQ id 1 len 40 from
> "user at user.com"
> 
> *Oct  4 20:02:17.676: ppp509 PAP: Authenticating peer user at user.com
> 
> *Oct  4 20:02:17.676: ppp509 PPP: Sent PAP LOGIN Request
> 
> *Oct  4 20:02:17.676: RADIUS/ENCODE(00000218):Orig. component type =
> VPDN
> 
> *Oct  4 20:02:17.680: RADIUS:  AAA Unsupported Attr: interface
> [157] 15
> 
> *Oct  4 20:02:17.680: RADIUS:   55 6E 69 71 2D 53 65 73 73 2D 49 44 35
> [Uniq-Sess-ID5]
> 
> *Oct  4 20:02:17.680: RADIUS(00000218): Config NAS IP: 0.0.0.0
> 
> *Oct  4 20:02:17.680: RADIUS/ENCODE(00000218): acct_session_id: 538
> 
> *Oct  4 20:02:17.680: RADIUS(00000218): sending
> 
> *Oct  4 20:02:17.680: RADIUS/ENCODE: Best Local IP-Address 10.1.1.1 for
> Radius-Server 172.16.48.2
> 
> *Oct  4 20:02:17.680: RADIUS(00000218): Send Access-Request to
> 172.16.48.2:1645 id 1645/138, len 113
> 
> *Oct  4 20:02:17.680: RADIUS:  authenticator FD 02 72 0A 10 44 0E 1B -
> 7C E1 FC 78 1D A9 30 0E
> 
> *Oct  4 20:02:17.680: RADIUS:  Framed-Protocol     [7]   6   PPP
> [1]
> 
> *Oct  4 20:02:17.680: RADIUS:  User-Name           [1]   11  "user"
> 
> *Oct  4 20:02:17.680: RADIUS:  User-Password       [2]   18  *
> 
> *Oct  4 20:02:17.680: RADIUS:  NAS-Port-Type       [61]  6   Virtual
> [5]
> 
> *Oct  4 20:02:17.680: RADIUS:  NAS-Port            [5]   6   509
> 
> *Oct  4 20:02:17.680: RADIUS:  NAS-Port-Id         [87]  17
> "Uniq-Sess-ID509"
> 
> *Oct  4 20:02:17.680: RADIUS:  Calling-Station-Id  [31]  17
> "bellsouthbbg-routerid"
> 
> *Oct  4 20:02:17.680: RADIUS:  Service-Type        [6]   6   Framed
> [2]
> 
> *Oct  4 20:02:17.680: RADIUS:  NAS-IP-Address      [4]   6   10.1.1.1
> 
> *Oct  4 20:02:17.684: RADIUS: Received from id 1645/138
> 172.16.48.2:1645, Access-Accept, len 126
> 
> *Oct  4 20:02:17.684: RADIUS:  authenticator DD BC F7 DC E4 65 CE A1 -
> D1 0B 8C FE 61 60 A3 E5
> 
> *Oct  4 20:02:17.684: RADIUS:  Vendor, Cisco       [26]  34
> 
> *Oct  4 20:02:17.684: RADIUS:   Cisco AVpair       [1]   28
> "ip:dns-servers=172.16.16.4"
> 
> *Oct  4 20:02:17.684: RADIUS:  Framed-Protocol     [7]   6   PPP
> [1]
> 
> *Oct  4 20:02:17.684: RADIUS:  Service-Type        [6]   6   Framed
> [2]
> 
> *Oct  4 20:02:17.684: RADIUS:  Framed-IP-Address   [8]   6   10.3.2.10
> 
> *Oct  4 20:02:17.684: RADIUS:  Framed-Route        [22]  22  "2.3.8.0/24
> 0.0.0.0 1   ###Note - a fake route we were testing with
> 
> *Oct  4 20:02:17.684: RADIUS:  Class               [25]  32
> 
> *Oct  4 20:02:17.684: RADIUS:   4D F0 05 D1 00 00 01 37 00 01 41 DC 0F
> 0A 01 C6  [M??????7??A?????]
> 
> *Oct  4 20:02:17.684: RADIUS:   E2 03 27 E9 FA 64 00 00 00 00 00 00 05
> 42        [??'??d???????B]
> 
> *Oct  4 20:02:17.688: RADIUS(00000218): Received from id 1645/138
> 
> *Oct  4 20:02:17.688: ppp509 PPP: Received LOGIN Response PASS
> 
> *Oct  4 20:02:17.708: %LINK-3-UPDOWN: Interface Virtual-Access5, changed
> state to up
> 
> *Oct  4 20:02:17.708: Vi5 PAP: O AUTH-ACK id 1 len 5
> 
> *Oct  4 20:02:18.708: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Virtual-Access5, changed state to up
> 
>  
> 
> ###The following is output of show users for a connection that did not
> get an IP accept the IP from the radius server.
> 
>  
> 
> router#show users
> 
>  
> 
>   Interface    User               Mode               Idle
> Peer Address
> 
>   Vi5          user at user.co  PPPoVPDN     00:00:07
> 
>  
> 
>  
> 
>  
> 
> version 12.4
> 
> !
> 
> Hostname nsp-router
> 
> !
> 
> boot-start-marker
> 
> boot-end-marker
> 
> !
> 
> logging buffered 8192 debugging
> 
> enable password 7 #######
> 
> !
> 
> aaa new-model
> 
> !
> 
> !
> 
> aaa authentication ppp default group radius
> 
> aaa accounting delay-start
> 
> aaa accounting network default start-stop group radius
> 
> !
> 
> aaa session-id common
> 
> network-clock-participate wic 0
> 
> no network-clock-participate aim 0
> 
> network-clock-select 1 T1 0/0/0
> 
> no ip source-route
> 
> ip icmp rate-limit unreachable 2000
> 
> !
> 
> !
> 
> ip cef
> 
> !
> 
> !
> 
> ip address-pool local
> 
> vpdn enable
> 
> !
> 
> vpdn-group 1
> 
>  accept-dialin
> 
>   protocol any
> 
>   virtual-template 1
> 
>  terminate-from hostname bellsouthbbg-routerid
> 
>  
> 
> local name BBG-Gateway
> 
>  lcp renegotiation always
> 
>  l2tp tunnel password 7 ########
> 
> !
> 
> !
> 
> controller T1 0/0/0
> 
>  mode atm aim 0
> 
>  framing esf
> 
>  linecode b8zs
> 
> !
> 
> controller T1 0/0/1
> 
>  shutdown
> 
>  framing esf
> 
>  linecode b8zs
> 
> !
> 
> !!
> 
> interface Loopback1
> 
>  ip address 10.3.2.1 255.255.255.0
> 
> !
> 
> interface FastEthernet0/0
> 
> ip address 10.1.1.1 255.255.255.0
> 
>  duplex auto
> 
>  speed auto
> 
> !
> 
> interface FastEthernet0/1
> 
>  no ip address
> 
>  shutdown
> 
>  duplex auto
> 
>  speed auto
> 
> !
> 
> interface ATM0/0/0
> 
>  no ip address
> 
>  no ip route-cache cef
> 
>  no ip route-cache
> 
>  no scrambling-payload
> 
>  no atm ilmi-keepalive
> 
>  pvc 0/16 ilmi
> 
>  !
> 
> !
> 
> interface ATM0/0/0.1 point-to-point
> 
>  ip address  <IP Provided by BellSouth>
> 
>  no ip route-cache
> 
>  no snmp trap link-status
> 
>  pvc 4/36
> 
>   encapsulation aal5autoppp Virtual-Template1
> 
>  !
> 
> !
> 
> interface Virtual-Template1
> 
>  description BellSouth BBG connection
> 
>  mtu 1492
> 
>  ip unnumbered Loopback1
> 
>  no ip route-cache cef
> 
>  peer pool static
> 
>  no peer default ip address
> 
>  keepalive 200
> 
>  ppp authentication pap
> 
>  ppp ipcp dns 172.16.4.4
> 
>  ppp ipcp ignore-map
> 
>  ppp ipcp predictive
> 
>  ppp ipcp address accept
> 
> !
> 
> ip local pool default 10.3.2.34 10.3.2.60
> 
> ip route 0.0.0.0 0.0.0.0 10.1.1.254
> 
> no ip http server
> 
> no ip http secure-server
> 
> !!
> 
> !
> 
> radius-server host 172.16.48.2 auth-port 1645 acct-port 1646 key 7
> #########
> 
> radius-server domain-stripping
> 
> !
> 
> control-plane
> 
> !
> 
> !
> 
> line con 0
> 
> line aux 0
> 
> line vty 0 4
> 
>  exec-timeout 30 0
> 
>  password 7 ###########
> 
> !
> 
> scheduler allocate 20000 1000
> 
> !
> 
> end
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list