[c-nsp] passing ACL via radius - AAA Unsupported Attr

Christopher Hunt dharmachris at gmail.com
Thu Sep 2 19:50:30 EDT 2010 

 Gurus,
    I'm looking for a way to pass ACLs via radius.  I'm running a 7206
with 12.4(9)T2 and Radiator 4.4 using a MySQL database.  Authentication,
static IPs, framed-routes, and even policy route-maps are all working,
but not this!  The docs seem to imply that is supported but I cannot
figure out which permutation of radius attributes to send.

...
126057: Sep  2 16:32:09 PDT: RADIUS/ENCODE(0920651A):Orig. component
type = PPoA
126058: Sep  2 16:32:09 PDT: RADIUS:  AAA Unsupported Attr:
interface         [158] 11 
126059: Sep  2 16:32:09 PDT: RADIUS:   31 2F 30 2F 30 2F 31 2E
33                       [1/0/0/1.3]
126060: Sep  2 16:32:09 PDT: RADIUS(0920651A): Config NAS IP: 10.10.55.241
126061: Sep  2 16:32:09 PDT: RADIUS/ENCODE(0920651A): acct_session_id:
153184998
126062: Sep  2 16:32:09 PDT: RADIUS(0920651A): sending
126063: Sep  2 16:32:09 PDT: RADIUS(0920651A): Send Access-Request to
10.10.24.3:1645 id 1645/142, len 92
126064: Sep  2 16:32:09 PDT: RADIUS:  authenticator 3D 07 60 4D D7 4D 1C
35 - 31 D2 C5 B0 94 F7 C9 BB
126065: Sep  2 16:32:09 PDT: RADIUS:  Framed-Protocol     [7]   6  
PPP                       [1]
126066: Sep  2 16:32:09 PDT: RADIUS:  User-Name           [1]   10 
"dsl-test"
126067: Sep  2 16:32:09 PDT: RADIUS:  CHAP-Password       [3]   19  *
126068: Sep  2 16:32:09 PDT: RADIUS:  NAS-Port-Type       [61]  6  
Virtual                   [5]
126069: Sep  2 16:32:09 PDT: RADIUS:  NAS-Port            [5]   6  
0                        
126070: Sep  2 16:32:09 PDT: RADIUS:  NAS-Port-Id         [87]  13 
"1/0/0/1.396"
126071: Sep  2 16:32:09 PDT: RADIUS:  Service-Type        [6]   6  
Framed                    [2]
126072: Sep  2 16:32:09 PDT: RADIUS:  NAS-IP-Address      [4]   6  
10.10.55.241          
126073: Sep  2 16:32:10 PDT: RADIUS: Received from id 1645/142
10.10.24.3:1645, Access-Accept, len 225
126074: Sep  2 16:32:10 PDT: RADIUS:  authenticator 61 4E 38 50 FF 7E 6E
DC - CC D6 4C A0 7E AE 4F 24
126075: Sep  2 16:32:10 PDT: RADIUS:  Framed-IP-Address   [8]   6  
255.255.255.254          
126076: Sep  2 16:32:10 PDT: RADIUS:  Port-Limit          [62]  6  
1                        
126077: Sep  2 16:32:10 PDT: RADIUS:  Framed-Compression  [13]  6  
None                      [0]
126078: Sep  2 16:32:10 PDT: RADIUS:  Service-Type        [6]   6  
Framed                    [2]
126079: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  56 
126080: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   50 
"lcp:interface-config#2=ip unnumbered Loopback105"
126081: Sep  2 16:32:10 PDT: RADIUS:  Session-Timeout     [27]  6  
604800                   
126082: Sep  2 16:32:10 PDT: RADIUS:  Framed-Protocol     [7]   6  
PPP                       [1]
126083: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  55 
126084: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   49 
"lcp:interface-config#1=ip vrf forwarding TestCo"
126085: Sep  2 16:32:10 PDT: RADIUS:  Filter-Id           [11]  10 
126086: Sep  2 16:32:10 PDT: RADIUS:   6D 79 66 69 6C 74 65
72                          [myfilter]
126087: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  24 
126088: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   18 
"ip:vrf-id=TestCo"
126089: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  24 
126090: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   18 
"ip:vrf-id=TestCo"
126091: Sep  2 16:32:10 PDT: RADIUS(0920651A): Received from id 1645/142
126092: Sep  2 16:32:10 PDT: ppp1110 PPP: Received LOGIN Response PASS


My DB entry looks like this:
mysql> select * from RADSTCONFIG where name='vrf-test';
+----------+---------+-----------+--------+--------------------------------------------------+-----------+-----+
| NAME     | ATTR_ID | VENDOR_ID | IVALUE |
SVALUE                                           | ITEM_TYPE | UID |
+----------+---------+-----------+--------+--------------------------------------------------+-----------+-----+
| vrf-test | 8       | 0         |   NULL |
255.255.255.254                                  |     10001 | 281 |
| vrf-test | 13      | 0         |      0 |
NULL                                             |     10001 | 283 |
| vrf-test | 6       | 0         |      2 |
NULL                                             |     10001 | 285 |
| vrf-test | 1       | 9         |      0 | lcp:interface-config#2=ip
unnumbered Loopback105 |     10001 | 329 |
| vrf-test | 27      | 0         | 604800 |
NULL                                             |     10001 | 289 |
| vrf-test | 7       | 0         |      1 |
NULL                                             |     10001 | 291 |
| vrf-test | 1       | 9         |      0 | lcp:interface-config#1=ip
vrf forwarding TestCo  |     10001 | 327 |
| vrf-test | 11      |           |      0 |
myfilter                                         |     10001 | 321 |
+----------+---------+-----------+--------+--------------------------------------------------+-----------+-----+

the ACL exists:
rtr-1#show access-list myfilter
Extended IP access list myfilter
    10 permit ip any any log

rtr-1#show users | inc qwest
  Vi483        qwestdsl           PPPoATM      00:00:00 205.134.214.19

but it's not applied to the Virtual-Interface
rtr-1#sh run int Vi483
Building configuration...

Current configuration : 249 bytes
!
interface Virtual-Access483
 ip vrf forwarding TestCo
 ip unnumbered Loopback105
 ip verify unicast source reachable-via rx
 no ip redirects
 no ip unreachables
 no logging event link-status
 no snmp trap link-status
 no snmp ifindex persist
end

The logs show "AAA Unsupported Attr: interface         [158] 11  ".  Is
that related?



anyone else doing this?

Thanks,
Chris

More information about the cisco-nsp mailing list