[c-nsp] AAA/RADIUS Authentication and VRF-Lite

Ziv Leyes zivl at gilat.net
Sun Mar 2 09:40:07 EST 2008


If you're using an access-list on the vty lines you shouldn't forget to mention the vrf too:

line vty 0 4
 access-class xx in vrf-also

This was found on the nsp archives:
http://puck.nether.net/pipermail/cisco-nsp/2004-January/007963.html


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oliver Boehmer (oboehmer)
Sent: Friday, February 29, 2008 3:29 PM
To: Tord Førland; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] AAA/RADIUS Authentication and VRF-Lite

Tord Førland <> wrote on Friday, February 29, 2008 1:13 PM:

> Hi guys!
>
> I'd like to start out by complementing this great service. I've been
> a silent member for now, but it has been very interesting to read
> about real-life issues. The issue I'm posting now was first posted on
> NetPro, but no one ever answered, so I thought I'd pitch it to you
> guys :)
>
> I've run into a strange problem, when using AAA Radius authentication
> and VRF-Lite.
>
> The setting is as follows. A /31 linknet is setup between PE and CE
> (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE
> uses VRF-Lite to keep the local services seperated (where more than
> one VPN is used..).
>
> Access to the CE, via telnet, console etc, will be authenticated by
> our RADIUS servers, based on the following setup:
>
>
> --> Config Begins <---
>
> aaa new-model
> !
> !
> aa group server radius radius-auth
> server x.x.4.23 auth-port 1645 acct-port 1646
> server x.x.7.139 auth-port 1645 acct-port 1646
[...]
> ip radius source-interface <outside-if> vrf 10

You need "ip vrf forwarding <name>" within the server group to tie this group to a VRF. Assigning source-interface is not enough..
Have you tried this?

        oli

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




More information about the cisco-nsp mailing list