[c-nsp] Can Cisco be used for LAC features?

James Bensley jwbensley at gmail.com
Wed Dec 10 12:38:23 EST 2014 

I threw this issue out to the Cisco BBA mailing list too but that list
is much more scarcely used so I will re-post here:

I have read through the following pages, everything seems pretty
strait forward however my lab LAC still isn't working correctly:

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/4675-vpdn-rad.html
http://www.cisco.com/c/en/us/support/docs/dial-access/virtual-private-dialup-network-vpdn/23981-l2tp-23981.html
http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/access-registrar/13835-multi-avpairs.html
http://www.ciscopress.com/articles/article.asp?p=422947&seqNum=8

I have a lab CPE, LAC and LNS. The lab LAC and LNS are both configured
to use the same lab RADIUS server with has a record for the domain
example.net (which I want the LAC to query) and a record for the user
(which I want the LNS to eventually query).

What happens is a PPPoE request comes in to the LAC from the CPE with
CHAP authentication containing hostname "testuser at example.net". The
LAC sends an access-request to the lab RADIUS server just for
"example.net", RADIUS responds with access-accept and the details to
initiate the L2TP tunnel to the LNS. Next the LAC sends in another
access-request for the full username "testuser at example.net" and the
RADIUS responds with the access-request and the user proile. The LAC
terminates the connection locally and it never gets forwarded on to
the LNS.

I'm a bit stumped as the config is so basic in those examples (they
are all also from 2006 and 2005 though!).

Cheers,
James.


LAC CONFIG (c7200-advipservicesk9-mz.152-
4.M7.bin):

aaa new-model
!
aaa group server radius CUST-RAD
 server name radius1
 ip radius source-interface FastEthernet0/1
!
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
aaa session-id common

vpdn enable
vpdn multihop

bba-group pppoe global
 virtual-template 1

interface FastEthernet0/0
 description Link to LAB-CPE fa0/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
!
interface FastEthernet0/1
 description Link to LAB-LNSfa0/1
 mtu 1530
 ip address 192.0.2.8 255.255.255.254
 duplex auto
 speed auto
!
interface Virtual-Template1
 description PPPoE for Wholesale-Customer-1
 no ip address
 no ip redirects
 no ip proxy-arp
 no logging event link-status
 no peer default ip address
 ntp disable
 keepalive 20 3
 ppp authentication pap chap

radius server radius1
 address ipv4 192.0.2.1 auth-port 1812 acct-port 1813
 key 7 1234



RADIUS debug on LAC (freeradius 2.1.12):

*Dec 10 16:40:47.334: RADIUS(00000044): Send Access-Request to
192.0.2.1:1812 id 1645/51, len 84
*Dec 10 16:40:47.334: RADIUS:  authenticator 45 D1 A3 05 FF E9 8F 81 -
78 49 4B DF B6 A3 3D F1
*Dec 10 16:40:47.334: RADIUS:  User-Name           [1]   13  "example.net"
*Dec 10 16:40:47.334: RADIUS:  User-Password       [2]   18  *
*Dec 10 16:40:47.334: RADIUS:  NAS-Port-Type       [61]  6   Virtual
                [5]
*Dec 10 16:40:47.338: RADIUS:  NAS-Port            [5]   6   0
LAC#
*Dec 10 16:40:47.338: RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
*Dec 10 16:40:47.338: RADIUS:  Service-Type        [6]   6   Outbound
                [5]
*Dec 10 16:40:47.338: RADIUS:  NAS-IP-Address      [4]   6   192.0.2.8
LAC#
*Dec 10 16:40:47.338: RADIUS(00000044): Sending a IPv4 Radius Packet
*Dec 10 16:40:47.342: RADIUS(00000044): Started 5 sec timeout
*Dec 10 16:40:47.402: RADIUS: Received from id 1645/51 192.0.2.1:1812,
Access-Accept, len 202
*Dec 10 16:40:47.410: RADIUS:  authenticator 56 16 A4 6B EB 07 3C 6E -
DF C8 0D 6D 55 47 1F 22
*Dec 10 16:40:47.410: RADIUS:  Service-Type        [6]   6   Outbound
                [5]
*Dec 10 16:40:47.418: RADIUS:  Vendor, Cisco       [26]  29
*Dec 10 16:40:47.418: RADIUS:   Cisco AVpair       [1]   23
"vpdn:tunnel-type=l2tp"
*Dec 10 16:40:47.430: RADIUS:  Vendor, Cisco       [26]  36
*Dec 10 16:40:47.434: RADIUS:   Cisco AVpair       [1]   30
"vpdn:tunnel-id=lns-provider1"
*Dec 10 16:40:47.438: RADIUS:  Vendor, Cisco       [26]  33
*Dec 10 16:40:47.442: RADIUS:   Cisco AVpair       [1]   27
"vpdn:ip-address=192.0.2.2"
*Dec 10 16:40:47.446: RADIUS:  Vendor, Cisco       [26]  32
*Dec 10 16:40:47.450: RADIUS:   Cisco AVpair       [1]   26
LAC# "vpdn:source-ip=192.0.2.8"
*Dec 10 16:40:47.454: RADIUS:  Vendor, Cisco       [26]  46
*Dec 10 16:40:47.458: RADIUS:   Cisco AVpair       [1]   40  *
*Dec 10 16:40:47.466: RADIUS(00000044): Received from id 1645/51
*Dec 10 16:40:47.598: RADIUS/ENCODE(00000044):Orig. component type = PPPoE
*Dec 10 16:40:47.602: RADIUS/ENCODE(0
LAC#0000044): Unsupported AAA attribute clid-mac-addr
*Dec 10 16:40:47.614: RADIUS:  AAA Unsupported Attr: interface
[221] 7   1790217048
*Dec 10 16:40:47.618: RADIUS:  AAA Unsupported Attr:
client-mac-address[44]  14  1790217100
*Dec 10 16:40:47.626: RADIUS(00000044): Config NAS IP: 192.0.2.8
*Dec 10 16:40:47.626: RADIUS(00000044): Config NAS IPv6: ::
*Dec 10 16:40:47.630: RADIUS/ENCODE(00000044): acct_session_id: 63
*Dec 10 16:40:47.634: RADIUS(00000044): sending
*Dec 10 16:40:47.650: RADIUS(00000044): Send Access-Request to
192.0.2.1:1812 id 1645/52, len 100
*Dec 10 16:40:47.654: RADIUS:  authenticator E5 12 DB 6D EE C9 E3 4E -
1F 4C B8 7B 76 D2 C3 0E
*Dec 10 16:40:47.658: RADIUS:  Framed-Protocol     [7]   6   PPP
                [1]
*Dec 10 16:40:47.662: RADIUS:  User-Name           [1]   22
"testuser at example.net"
*Dec 10 16:40:47.666: RADIUS:  CHAP-Password       [3]   19  *
*Dec 10 16:40:47.670: RADIUS:  NAS-Port-Type       [61]  6   Virtual
LAC#     [5]
*Dec 10 16:40:47.674: RADIUS:  NAS-Port            [5]   6   0
*Dec 10 16:40:47.678: RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
*Dec 10 16:40:47.686: RADIUS:  Service-Type        [6]   6   Framed
                [2]
*Dec 10 16:40:47.690: RADIUS:  NAS-IP-Address      [4]   6   192.0.2.8
*Dec 10 16:40:47.698: RADIUS(00000044): Sending a IPv4 Radius Packet
*Dec 10 16:40:47.702: RADIUS(00000044): Started 5 sec timeout

*Dec 10 16:40:47.862: RADIUS: Received from id 1645/52 192.0.2.1:1812,
Access-Accept, len 120
*Dec 10 16:40:47.862: RADIUS:  authenticator 45 95 72 FE 30 81 EB 6F -
F1 B3 79 70 A0 66 5C 56
*Dec 10 16:40:47.862: RADIUS:  Service-Type        [6]   6   Framed
                [2]
*Dec 10 16:40:47.862: RADIUS:  Framed-Protocol     [7]   6   PPP
                [1]
*Dec 10 16:40:47.862: RADIUS:  Framed-MTU          [12]  6   1500
*Dec 10 16:40:47.862: RADIUS:  Framed-IP-Address   [8]   6   10.0.0.1
*Dec 10 16:40:47.862: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255
*Dec 10 16:40:47.862: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP
Header Compressi[1]
*Dec 10 16:40:47.862: RADIUS:  Session-Timeout     [27]  6   0
*Dec 10 16:40:47.862: RADIUS:  Idle-Timeout        [28]  6   300
*Dec 10 16:40:
LAC#47.862: RADIUS:  Vendor, Cisco       [26]  52
*Dec 10 16:40:47.866: RADIUS:   Cisco AVpair       [1]   46
"lcp:interface-config=ip unnumbered Loopback0"

More information about the cisco-nsp mailing list