[c-nsp] Radius and choosing ip-local pool on 7600, PPP termination
Walter Keen
walter.keen at RainierConnect.net
Thu Sep 2 16:34:37 EDT 2010
Hi All,
I have a 7606/RSP720 with a ES+20g card, doing PPPoE termination, as
configured below.
Problem I'm having is that I want to put certain users in a different ip
pool (which happens to be in a different vrf that only allows them
access to one server (the OpenACS server that controls the dsl modems,
so we can simplify provisioning without creating a security concern))
I can see in the tcpdump output from the server that it's sending
'Cisco-AVPair' to set the ip pool, and even the debug shows it, but no
clue as to why it's not using it.
I'm guessing it has to do with the virtual-template config, but not sure
how to get this configured correctly.
Thought I would ask here before opening a case with the TAC.
Has anyone done this in the past? Should be fairly similar to doing
this in any other PPP access method I think.
interface GigabitEthernet2/1.462 access
description Tnwx-E5111-003
encapsulation dot1Q 462
pppoe enable group TEST-BBA
ip subscriber l2-connected
initiator unclassified mac-address
bba-group pppoe TEST-BBA
virtual-template 1
vendor-tag circuit-id service
vendor-tag remote-id service
vendor-tag dsl-sync-rate service
mac-address autoselect
sessions auto cleanup
tag ppp-max-payload minimum 64 maximum 1400
interface Virtual-Template1
ip unnumbered Loopback0
no ip proxy-arp
peer default ip address pool BRAS-DSL
ppp lcp echo mru verify minimum 1400
ppp authentication chap
end
interface Loopback0
ip address 74.50.193.1 255.255.255.0
end
interface Loopback10
ip vrf forwarding provisioning
ip address 74.50.203.137 255.255.255.248
end
ip local pool BRAS-DSL 74.50.193.10 74.50.193.254
ip local pool PROVISIONING 74.50.203.138 74.50.203.142
radius server access-accept response
12:40:01.778914 IP (tos 0x0, ttl 64, id 25517, offset 0, flags [DF],
length: 114) 69.10.201.13.1645 > 74.50.203.62.1645: [udp sum ok] RADIUS,
length: 86
Access Accept (2), id: 0xe8, Authenticator:
5f793a23895e571d317e05c6dbc11c82
Vendor Specific Attribute (26), length: 33, Value: Vendor:
Cisco (9)
Vendor Attribute: 1, Length: 27, Value:
ip:addr-pool=PROVISIONING.!
0x0000: 0000 0009 011b 6970 3a61 6464 722d 706f
0x0010: 6f6c 3d50 524f 5649 5349 4f4e 494e 47
Vendor Specific Attribute (26), length: 33, Value: Vendor:
Cisco (9)
0x0000: 0000 0009 011b 6970 3a61 6464 722d 706f
0x0010: 6f6c 3d50 524f 5649 5349 4f4e 494e 47
E..rc. at .@..EE
debug aaa authentication and aaa attr on c7600
---------
d
*Sep 2 20:15:47.819: AAA/ATTR(00001403): free all lists: 0x1C9C376C
*Sep 2 20:15:47.819: AAA/ATTR(00001403): del attr: 1C9C3780 0 0000000A
clid-mac-addr(43) 14 30 30 30 32 2E 35 64 31 61 2E 34 35 61 32
*Sep 2 20:15:47.819: AAA/ATTR(00001403): del attr: 1C9C3790 0 00000002
Framed-Protocol(110) 4 PPP
*Sep 2 20:15:47.819: AAA/ATTR(00001403): del attr: 1C9C37A0 0 00000009
username(422) 12 provisioning
*Sep 2 20:15:47.819: AAA/ATTR(00001403): del attr: 1C9C37B0 0 00000009
challenge(30) 16 E0 4A 7A 6F FD BB AA B2 1A 74 60 72 65 C0 F3 F9
*Sep 2 20:15:47.819: AAA/ATTR(00001403): del attr: 1C9C37C0 0 00000001
id(31) 1 1(1)0x1C9C30AC
*Sep 2 20:15:47.819: AAA/ATTR(00001403): del attr: 1C9C30C0 0 00000009
response(32) 16 <opaque value>
*Sep 2 20:15:47.819: AAA/ATTR(00001403): new list: 0x1C9C30AC
*Sep 2 20:15:47.819: AAA/ATTR(00001403): cursor init: 1C076CA8 1C9C30AC
none none
*Sep 2 20:15:47.819: AAA/ATTR(00000000): add attr: 1C9C30C0 0 00000009
addr-pool(11) 12 PROVISIONING
*Sep 2 20:15:47.819: AAA/ATTR(00000000): add attr: 1C9C30D0 0 00000009
addr-pool(11) 12 PROVISIONING
*Sep 2 20:15:47.819: AAA/ATTR(00000000): copy lists
*Sep 2 20:15:47.819: AAA/ATTR(00000000): new list: 0x1C9C376C old list:
1C9C30AC
*Sep 2 20:15:47.823: AAA/ATTR(00001403): free all lists: 0x1C9C30AC
*Sep 2 20:15:47.823: AAA/ATTR(00001403): del attr: 1C9C30C0 0 00000009
addr-pool(11) 12 PROVISIONING
*Sep 2 20:15:47.823: AAA/ATTR(00001403): del attr: 1C9C30D0 0 00000009
addr-pool(11) 12 PROVISIONING
*Sep 2 20:15:47.823: AAA/ATTR(00001403): free all lists: 0x1C9C32C8
*Sep 2 20:15:47.823: AAA/ATTR(00001403): del attr: 1C9C32DC 0 00000001
port-type(208) 4 PPPoE over VLAN
*Sep 2 20:15:47.823: AAA/ATTR(00001403): del attr: 1C9C32EC 0 00000009
interface(204) 9 2/0/1/462
*Sep 2 20:15:47.823: AAA/ATTR(00001403): del attr: 1C9C32FC 0 00000009
client-mac-address(45) 14 0002.5d1a.45a2
*Sep 2 20:15:47.823: AAA/ATTR(00000000): new list: 0x1C9C32C8
*Sep 2 20:15:47.823: AAA/ATTR(00000000): new list: 0x1C9C30AC
*Sep 2 20:15:47.823: AAA/ATTR(00000000): add attr: 1C9C30C0 0 00000002
authen-status(17) 4 authen
*Sep 2 20:15:47.823: AAA/ATTR(00000000): add attr: 1C9C30D0 0 0000000A
username(422) 12 provisioning
*Sep 2 20:15:47.823: AAA/ATTR(00000000): cursor init: 1CA28A6C 1C9C32C8
none none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): find: session-guid(149): not found
*Sep 2 20:15:47.823: AAA/ATTR(00000000): cursor init: 1CA28A6C 1C9C32C8
none none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): find next matching
service=none, protocol=none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): not found
*Sep 2 20:15:47.823: AAA/ATTR(00000000): cursor init: 1CA28A6C 1C9C32C8
none none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): find next matching
service=none, protocol=none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): not found
*Sep 2 20:15:47.823: AAA/ATTR(00000000): cursor init: 1CA28A6C 1C9C30AC
none none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): find next matching
service=none, protocol=none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): authen-status ok
*Sep 2 20:15:47.823: AAA/ATTR(00000000): cursor init: 19B2A958 1C9C3184
none none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): find: 1C9C3198 0 00000002
authen-status(17) 4 unauthen
*Sep 2 20:15:47.823: AAA/ATTR(00000000): delete attr: 1C9C3184 0 0
*Sep 2 20:15:47.823: AAA/ATTR(00000000): del attr: 1C9C3198 0 00000002
authen-status(17) 4 unauthen
*Sep 2 20:15:47.823: AAA/ATTR(00000000): add attr: 1C9C31B8 0 00000002
authen-status(17) 4 authen
*Sep 2 20:15:47.823: AAA/ATTR(00000000): find next matching
service=none, protocol=none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): username ok
*Sep 2 20:15:47.823: AAA/ATTR(00000000): cursor init: 19B2A958 1C9C3184
none none
*Sep 2 20:15:47.823: AAA/ATTR(00000000): find: username(422): not found
*Sep 2 20:15:47.823: AAA/ATTR(00000000): add attr: 1C9C31C8 0 0000000A
username(422) 12 provisioning
*Sep 2 20:15:47.827: AAA/ATTR(00000000): find next matching
service=none, protocol=none
*Sep 2 20:15:47.827: AAA/ATTR(00000000): not found
*Sep 2 20:15:47.827: AAA/ATTR(00000000): free all lists: 0x1C9C32C8
*Sep 2 20:15:47.827: AAA/ATTR(00000000): free all lists: 0x1C9C30AC
*Sep 2 20:15:47.827: AAA/ATTR(00000000): del attr: 1C9C30C0 0 00000002
authen-status(17) 4 authen
*Sep 2 20:15:47.827: AAA/ATTR(00000000): del attr: 1C9C30D0 0 0000000A
username(422) 12 provisioning
*Sep 2 20:15:47.827: AAA/BIND(00001403): Bind i/f Virtual-Access2.1
*Sep 2 20:15:47.827: AAA/ATTR(00000000): new list: 0x1C9C30AC
*Sep 2 20:15:47.827: AAA/ATTR(00000000): add attr: 1C9C30C0 0 00000009
username(422) 12 provisioning
*Sep 2 20:15:47.827: AAA/ATTR(00000000): add attr: 1C9C30D0 0 00000001
Framed-Protocol(110) 4 PPP
*Sep 2 20:15:47.827: AAA/ATTR(00001403): cursor init: 1BF64980 1C9C30AC
none none
*Sep 2 20:15:47.827: AAA/ATTR(00001403): find next matching
service=none, protocol=none
*Sep 2 20:15:47.827: AAA/ATTR(00001403): username ok
*Sep 2 20:15:47.827: AAA/ATTR(00001403): find next matching
service=none, protocol=none
*Sep 2 20:15:47.827: AAA/ATTR(00001403): Framed-Protocol ok
*Sep 2 20:15:47.827: AAA/ATTR(00000000): add attr: 1C9C38D4 0 00000001
Framed-Protocol(110) 4 PPP
*Sep 2 20:15:47.827: AAA/ATTR(00001403): find next matching
service=none, protocol=none
*Sep 2 20:15:47.827: AAA/ATTR(00001403): not found
*Sep 2 20:15:47.827: AAA/ATTR(00001403): copy lists
*Sep 2 20:15:47.827: AAA/ATTR(00001403): new list: 0x1C9C32C8 old list:
1C9C38B0
*Sep 2 20:15:47.827: AAA/ATTR(00001403): cursor init: 1BF64960 1C9C32C8
none none
--
Walter Keen
Network Technician
RAINIER CONNECT
P 360.832.4024
F 360.832.4713
C 253.302.0194
More information about the cisco-nsp
mailing list