[c-nsp] Question about returning multiple un-numbered interface attributes via radius
Bryan Tabb
bryan.tabb at nztechnologygroup.com
Tue Jan 23 15:23:12 EST 2018
Hi all
We have a mixture of BNGs, ASR9k and ASR1k that use Freeradius for AAA.
One of the differences between the models is the format for the unnumbered loopback attribute that comes from Freeradius
For the ASR9k format is "ip:ipv4-unnumbered=Loopback2000"
For the ASR1k format is "ip:ip-unnumbered=Loopback2000"
Does anyone see a problem with sending both via AV pairs when user logs in ?
The taught process being the ASR9k will ignore the ip:ip-unnumbered and process the ip:ipv4-unnumbered and with the ASR1k vise versa
E.g. from debug radius on asr1k
Jan 24 09:10:30.784 NZDT: RADIUS: Cisco AVpair [1] 31 "ip:ip-unnumbered=Loopback2000"
Jan 24 09:10:30.784 NZDT: RADIUS: Vendor, Cisco [26] 39
Jan 24 09:10:30.784 NZDT: RADIUS: Cisco AVpair [1] 33 "ip:ipv4-unnumbered=Loopback2000"
Jan 24 09:10:30.784 NZDT: RADIUS(00000077): Received from id 1645/3
Jan 24 09:10:30.784 NZDT: RADIUS/DECODE: parse unknown cisco vsa "ipv4-unnumbered" - IGNORE
The attributes are part of radgroupreply.
Under normal operations users will be authenticating against their local BNG but in a failure situation we would Psuedowire the customers off to the next closest BNG which may be a different model. If this were to occur I'm trying to avoid having to update radius for those users (so they get the correct attribute)
Or am I looking at this this wrong way and there is a much easier way ?
Cheers
Bryan
More information about the cisco-nsp
mailing list