[c-nsp] AAA/RADIUS Authentication and VRF-Lite

[Tord Førland]

Hi guys!

I'd like to start out by complementing this great service. I've been a silent member for now, but it has been very interesting to read about real-life issues. The issue I'm posting now was first posted on NetPro, but no one ever answered, so I thought I'd pitch it to you guys :) 

I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.

The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).

Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:


--> Config Begins <---

aaa new-model
!
!
aa group server radius radius-auth
server x.x.4.23 auth-port 1645 acct-port 1646
server x.x.7.139 auth-port 1645 acct-port 1646
!
aaa authentication login default group radius-auth local
aaa authentication enable default group radius-auth enable
...
radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>

...

ip radius source-interface <outside-if> vrf 10

---> Config Ends <---

The VRF-Lite instance is configured like this:

---> Config Begins <---

ip vrf 10
rd 65001:10

---> Config Ends <---

Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.

I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.


Best Regards,
Tord Førland