[c-nsp] per-VRF AAA templates and multiprotocol VRFs

Daniel Verlouw daniel at bit.nl
Mon Mar 1 07:53:12 EST 2010 

Hi list,

I'm trying to set up per-VRF AAA with remote templates to assign a
customer to a multiprotocol VRF (IPv4 + IPv6). IPv4-only VRFs defined
using the 'ip vrf <vrf name>' stanza work fine this way, however
multiprotocol VRFs defined using the newer 'vrf definition <vrfname>'
syntax fail with a vtemplate cloning error message (line 108102):

[...]
108091: Mar  1 12:24:01 CET: VT:Sending vaccess request, id 0x41000C44
108092: Mar  1 12:24:01 CET: VT:Processing vaccess requests, 1
outstanding
108093: Mar  1 12:24:01 CET: VT[Vi3]:Added new AAA cloneblk, now cloning
from vtemplate/AAA
108094: Mar  1 12:24:01 CET: VT[Vi3]:Clone Vaccess from AAA (62 bytes)
108095: Mar  1 12:24:01 CET: VT[Vi3]:ip vrf forwarding test1
108096: Mar  1 12:24:01 CET: VT[Vi3]:ip unnumbered Loopback1000
108097: Mar  1 12:24:01 CET: VT[Vi3]:end
108098: Mar  1 12:24:01 CET: VT[Vi3]:Applying config commands on process
"VTEMPLATE Background Mgr" (204)
108099: Mar  1 12:24:01 CET: VT[Vi3]:ip vrf forwarding test1
108100: Mar  1 12:24:01 CET: VT[Vi3]:ip unnumbered Loopback1000
108101: Mar  1 12:24:01 CET: VT[Vi3]:end
108102: Mar  1 12:24:01 CET: VT:Messages from (un)cloning Vi3: 
% Use 'vrf forwarding' command for VRF 'test1'
108103: Mar  1 12:24:01 CET: VT[Vi3]:MTUs ip 1500, sub 0, max 1500,
default 1500
108104: Mar  1 12:24:01 CET: VT[Vi3]:Processing vaccess response, id
0x41000C44, result clone error (4)
108105: Mar  1 12:24:01 CET: VT[Vi3]:Processing request to free vaccess
108106: Mar  1 12:24:01 CET: VT[Vi3]:Waiting for the free request to
finish
108107: Mar  1 12:24:01 CET: VT[Vi3]:Vaccess free request complete,
reference id 233
108108: Mar  1 12:24:01 CET: %LINK-3-UPDOWN: Interface Virtual-Access3,
changed state to down
108109: Mar  1 12:24:01 CET: VT[Vi3]:Interface and line protocol are
down, proceed to free

Anyone knows if this is a bug and/or there's a workaround or other
solution for this? (different RADIUS attribute/value pair, different IOS
perhaps?).

This is on c7200-advipservicesk9-mz.124-24.T2.bin btw, config snippets
below.

Regards,
   Daniel.




RADIUS template:

vrf-test1.com              Cleartext-Password := "cisco"
                           Framed-Protocol = PPP,
                           Service-Type = Framed-User,
                           [...]
                           Cisco-AVPair += "template:ip-vrf=test1",
                           Cisco-AVPair +=
"template:ip-unnumbered=Loopback1000"

VRF definition:

vrf definition test1
 rd 1:1
 route-target export 1:1
 route-target import 1:1
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!

Loopback interface:

interface Loopback1000
 vrf forwarding test1
 ip address 192.168.255.10 255.255.255.255
 ipv6 address cafe::1/128

AAA config:

aaa group server radius RADIUS
 server-private <server> auth-port 1812 acct-port 1813 key 7 <removed>
 ip radius source-interface Lo0
 attribute nas-port format d
 deadtime 5
!         
aaa authorization template
aaa authentication ppp default group RADIUS
aaa authorization network default group RADIUS

More information about the cisco-nsp mailing list