[c-nsp] AAA/RADIUS Authentication and VRF-Lite

Tord Førland tf at nextgentel.com
Fri Feb 29 08:55:50 EST 2008


>> I'd like to start out by complementing this great service. I've been
>> a silent member for now, but it has been very interesting to read
>> about real-life issues. The issue I'm posting now was first posted on
>> NetPro, but no one ever answered, so I thought I'd pitch it to you
>> guys :)    
>> I've run into a strange problem, when using AAA Radius authentication
>> and VRF-Lite. 
>> The setting is as follows. A /31 linknet is setup between PE and CE
>> (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE
>> uses VRF-Lite to keep the local services seperated (where more than
>> one VPN is used..).   
>> Access to the CE, via telnet, console etc, will be authenticated by
>> our RADIUS servers, based on the following setup: 
>> --> Config Begins <---
>> aaa new-model
>> !
>> !
>> aa group server radius radius-auth
>> server x.x.4.23 auth-port 1645 acct-port 1646
>> server x.x.7.139 auth-port 1645 acct-port 1646
>> ip radius source-interface <outside-if> vrf 10
> You need "ip vrf forwarding <name>" within the server group to tie this group to a VRF. Assigning source-interface is not enough..
>Have you tried this?

Oli, I bow before thee in awe and thanks! You solved my problem. Thank you for your kind help! 
 


More information about the cisco-nsp mailing list