[c-nsp] ASR 9010 BNG setup

Tom Chambers Tom.Chambers at kcom.com
Fri Apr 24 23:31:56 EDT 2020 

The attribute list there is to just accept the attributes from the RADIUS server defined in that list, if you don’t have one configured then the BNG will accept all from the RADIUS server.

You might want to use them depending on your setup; when an IOS-XR device receives an unsupported attribute from the RADIUS server it won’t authenticate the subscriber session and will remain down, whereas IOS-XE will ignore the unsupported attributes and authenticate the subscriber regardless.

You may find this interesting/useful https://community.cisco.com/t5/service-providers-documents/asr9000-xr-bng-deployment-guide/ta-p/3110436

Regards,
Tom

From: Scott Miller <fordlove at gmail.com>
Sent: 24 April 2020 23:24
To: Tom Chambers <Tom.Chambers at kcom.com>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] ASR 9010 BNG setup

Ah, now that makes more sense.  Got it.  Clear as mud now.

aaa group server radius RADIUS_SERVER
 deadtime 40
 server-private xx.xx.xx.xx auth-port 1812 acct-port 1813
  key 7 xyzxyzxyz
 !

Another question.  The doc's talk about the attribute list.  Looks like they want them in some sort of access-list.  Is that correct?  On the 1002 we have no such access-list

Example:
SUMMARY STEPS
configure
aaa group server radius name
accounting accept radius_attribute_list_name
authorization reply accept radius_attribute_list_name


All we have on the 1002 is:
aaa group server radius RADIUS_SERVER
 server xx.xx.xx.xx auth-port 1812 acct-port 1813
!
aaa authentication login VTY_Auth_List group AAA_TACACs_Servers enable
aaa authentication login VTY_Auth_None none
aaa authentication ppp default group RADIUS_SERVER
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group RADIUS_SERVER
aaa authorization auth-proxy default group RADIUS_SERVER
aaa accounting send stop-record authentication failure
aaa accounting send stop-record always
aaa accounting delay-start
aaa accounting nested
aaa accounting update newinfo periodic 60
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group RADIUS_SERVER
aaa accounting connection default start-stop group RADIUS_SERVER
aaa accounting system default
 action-type start-stop
 group RADIUS_SERVER
!
aaa accounting resource default start-stop group RADIUS_SERVER
!
aaa server radius dynamic-author
 server-key 7 xyzxyzxyz
 port 3799
 auth-type any
!
Then a bba-group
sub interface layer 2 with vlan specified
virtual-template

and that's it.  If I'm making it out to be harder than it really is, just ignore me.  I'm still following the doc to get it set up.  Just jumping ahead and probably confusing myself.

Thanks,



On Fri, Apr 24, 2020 at 4:11 PM Tom Chambers <Tom.Chambers at kcom.com<mailto:Tom.Chambers at kcom.com>> wrote:
Hi,

The 'server x.x.x.x auth-port Y acct-port X' command in the RADIUS server group is looking for an already configured public (global) server, you'll need to configure the server globally using 'radius-server host x.x.x.x auth-port Y acct-port Z' for this to work.
Alternatively you could use 'server-private x.x.x.x auth-port Y acct-port Z' in the RADIUS server group, this will specify the server for just the group you are using and not require it to be in the global config as well.

Regards,
Tom
-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>> On Behalf Of Scott Miller
Sent: 24 April 2020 20:21
To: cisco-nsp <cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>>
Subject: [c-nsp] ASR 9010 BNG setup

Hello all. We have an ASR9010 we're using as a PE router, and we'd like to migrate our PPPoE off of an ASR1002x onto the 9010.  Reading the documentation here:

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-4/bng/configuration/guide/b-bng-cg-asr9000-64x/b-bng-cg-asr9000-64x_chapter_011.html


 on the Configuring RADIUS Server Group section, I enter the following, but get an error:

RP/0/RSP0/CPU0:asbr1.kalhoc#config t
Fri Apr 24 13:13:47.801 MDT
RP/0/RSP0/CPU0:asbr1.kalhoc(config)#aaa group server radius RADIUS_SERVER RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# deadtime 40 RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# source-interface Loopback1 RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#server xx.xx.xx.xx auth-port
1812 acct-port 1813
RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#commit
Fri Apr 24 13:13:58.996 MDT

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#

if I remove the server IP line, it commits fine, but I can't add anything else under the  aaa group server radius RADIUS_SERVER config.  I see in the error it's an "inheritance" issue, but not seeing what I'm missing.
Following the doc top down.  And yes, Loopback1 does exist.

show config:
!
aaa group server radius RADIUS_SERVER
 deadtime 40
 source-interface Loopback1
!

Cisco ASR9010
Version 6.4.2
RSP440-SE
RP/0/RSP0/CPU0:asbr1.kalhoc#show install active Fri Apr 24 13:16:10.341 MDT Secure Domain Router: Owner

  Node 0/RSP0/CPU0 [RP] [SDR: Owner]
    Boot Device: disk0:
    Boot Image:
/disk0/asr9k-os-mbi-6.4.2.CSCvj68649-1.0.0/0x100305/mbiasr9k-rsp3.vm
    Active Packages:
      disk0:asr9k-services-infra-6.4.2
      disk0:asr9k-bng-px-6.4.2
      disk0:asr9k-doc-px-6.4.2
      disk0:asr9k-fpd-px-6.4.2
      disk0:asr9k-li-px-6.4.2
      disk0:asr9k-mcast-px-6.4.2
      disk0:asr9k-mgbl-px-6.4.2
      disk0:asr9k-mini-px-6.4.2
      disk0:asr9k-mpls-px-6.4.2
      disk0:asr9k-optic-px-6.4.2
      disk0:asr9k-services-px-6.4.2
      disk0:asr9k-video-px-6.4.2
      disk0:asr9k-k9sec-px-6.4.2
      disk0:asr9k-px-6.4.2.CSCvh04484-1.0.0
      disk0:asr9k-px-6.4.2.CSCvi41352-1.0.0
      disk0:asr9k-px-6.4.2.CSCvj53644-1.0.0
      disk0:asr9k-px-6.4.2.CSCvj60378-1.0.0
      disk0:asr9k-px-6.4.2.CSCvj68649-1.0.0
      disk0:asr9k-px-6.4.2.CSCvk28954-1.0.0
      disk0:asr9k-px-6.4.2.CSCvk68799-1.0.0
      disk0:asr9k-px-6.4.2.CSCvm95530-1.0.0
      disk0:asr9k-px-6.4.2.CSCvn15572-1.0.0
      disk0:asr9k-px-6.4.2.CSCvn20544-1.0.0
      disk0:asr9k-px-6.4.2.CSCvn71097-1.0.0
      disk0:asr9k-px-6.4.2.CSCvn81268-1.0.0
      disk0:asr9k-px-6.4.2.CSCvn92927-1.0.0
      disk0:asr9k-px-6.4.2.CSCvn95386-1.0.0
      disk0:asr9k-px-6.4.2.CSCvo03672-1.0.0
      disk0:asr9k-px-6.4.2.CSCvo42210-1.0.0
      disk0:asr9k-px-6.4.2.CSCvo43692-1.0.0
      disk0:asr9k-px-6.4.2.CSCvo47563-1.0.0
      disk0:asr9k-px-6.4.2.CSCvo48401-1.0.0
      disk0:asr9k-px-6.4.2.CSCvo64374-1.0.0
      disk0:asr9k-px-6.4.2.CSCvo90073-1.0.0
      disk0:asr9k-px-6.4.2.CSCvp25269-1.0.0
      disk0:asr9k-px-6.4.2.CSCvp52020-1.0.0
      disk0:asr9k-px-6.4.2.CSCvp53808-1.0.0
      disk0:asr9k-px-6.4.2.CSCvq07763-1.0.0
      disk0:asr9k-px-6.4.2.CSCvq08552-1.0.0
      disk0:asr9k-px-6.4.2.CSCvq27252-1.0.0
      disk0:asr9k-px-6.4.2.CSCvq41820-1.0.0
      disk0:asr9k-px-6.4.2.CSCvq55791-1.0.0
      disk0:asr9k-px-6.4.2.CSCvq61177-1.0.0
      disk0:asr9k-px-6.4.2.CSCvq75447-1.0.0
      disk0:asr9k-px-6.4.2.CSCvr23452-1.0.0
      disk0:asr9k-px-6.4.2.CSCvr29912-1.0.0
      disk0:asr9k-px-6.4.2.CSCvr58491-1.0.0
      disk0:asr9k-px-6.4.2.CSCvr62647-1.0.0
      disk0:asr9k-px-6.4.2.CSCvs00535-1.0.0
      disk0:asr9k-px-6.4.2.CSCvs03903-1.0.0

Any help in where I'm going wrong already would be greatly appreciated.

Scott
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




This email has been scanned for all viruses.

Please consider the environment before printing this email.

The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.

KCOM Group Limited is a private limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE




This email has been scanned for all viruses.

Please consider the environment before printing this email.

The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.

KCOM Group Limited is a private limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE

More information about the cisco-nsp mailing list