[c-nsp] AAA/RADIUS Authentication and VRF-Lite
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Feb 29 08:28:33 EST 2008
Tord Førland <> wrote on Friday, February 29, 2008 1:13 PM:
> Hi guys!
>
> I'd like to start out by complementing this great service. I've been
> a silent member for now, but it has been very interesting to read
> about real-life issues. The issue I'm posting now was first posted on
> NetPro, but no one ever answered, so I thought I'd pitch it to you
> guys :)
>
> I've run into a strange problem, when using AAA Radius authentication
> and VRF-Lite.
>
> The setting is as follows. A /31 linknet is setup between PE and CE
> (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE
> uses VRF-Lite to keep the local services seperated (where more than
> one VPN is used..).
>
> Access to the CE, via telnet, console etc, will be authenticated by
> our RADIUS servers, based on the following setup:
>
>
> --> Config Begins <---
>
> aaa new-model
> !
> !
> aa group server radius radius-auth
> server x.x.4.23 auth-port 1645 acct-port 1646
> server x.x.7.139 auth-port 1645 acct-port 1646
[...]
> ip radius source-interface <outside-if> vrf 10
You need "ip vrf forwarding <name>" within the server group to tie this group to a VRF. Assigning source-interface is not enough..
Have you tried this?
oli
More information about the cisco-nsp
mailing list