[c-nsp] Radius and choosing ip-local pool on 7600, PPP termination
Per Carlson
pelle at hemmop.com
Fri Sep 3 03:54:10 EDT 2010
> I can see in the tcpdump output from the server that it's sending
> 'Cisco-AVPair' to set the ip pool, and even the debug shows it, but no clue
> as to why it's not using it.
You have to tell the 7600 which VRF to use as well. We don't have any
7600/ES+ combos, but this works fine on a 7200. With some luck and
tail-wind, it might as well work on the 7600.
Config on 7200:
aaa group server radius USERS
server-private <ip> auth-port 1812 acct-port 1813 key <key>
!
ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
!
interface Loopback1
ip vrf forwarding A
ip address 10.1.1.1 255.255.255.255
!
interface Virtual-Template1
ppp authentication pap USERS
ppp authorization USERS
!
ip local pool poolA 10.1.10.1 10.1.10.254
ip route vrf A 10.1.10.0 255.255.255.0 Null0
To get the user into VRF A, set local interface Lo1 and assign an
IP-address from poolA, we send the following VSAs:
Cisco-AVpair ip:vrf-id=A
Cisco-AVpair ip:addr-pool=poolA
Cisco-AVpair ip:ip-unnumbered=Lo1
You need the "aaa authorization" statement in the Virtual-Template to
make the RADIUS supplied VSAs to override any configured defaults.
--
Pelle
RFC1925, truth 11:
Every old idea will be proposed again with a different name and
a different presentation, regardless of whether it works.
More information about the cisco-nsp
mailing list