[c-nsp] ASR 9010 BNG setup
Cassidy B. Larson
alandaluz at gmail.com
Mon Apr 27 13:07:52 EDT 2020
Anybody doing http redirect with BNG? Been trying to get a walled garden
for suspended users thrown together. Policy is applied, but traffic isnt
getting redirected.
On Mon, Apr 27, 2020 at 2:14 AM Brian Turnbow via cisco-nsp <
cisco-nsp at puck.nether.net> wrote:
>
>
>
> ---------- Forwarded message ----------
> From: Brian Turnbow <b.turnbow at twt.it>
> To: Scott Miller <fordlove at gmail.com>
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>, Tom Chambers <
> Tom.Chambers at kcom.com>
> Bcc:
> Date: Mon, 27 Apr 2020 08:10:45 +0000
> Subject: RE: [c-nsp] ASR 9010 BNG setup
> Hi Scott
>
> Yes you need to check all your attributes being passed because they are
> different for the 9ks with respect to 1ks
> For example
> ip:ip-unnumbered=loopback 0 would need to be
> ipv4:ipv4-unnumbered=loopback 0
> to send routes you need to use framed-route and not cisco avpair ip:route
> and several others
> one that took us awhile to find was needing service-type outbound-user to
> set up l2tp tunnels out to some of our customers.
> And as Tom said if one attributes comes in that is not accepted the user
> will not come up.
> So make sure to test well
>
> Brian
>
> > -----Original Message-----
> > From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> > Tom Chambers
> > Sent: Saturday, April 25, 2020 5:32 AM
> > To: Scott Miller <fordlove at gmail.com>
> > Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> > Subject: Re: [c-nsp] ASR 9010 BNG setup
> >
> > The attribute list there is to just accept the attributes from the
> RADIUS server
> > defined in that list, if you don’t have one configured then the BNG will
> accept
> > all from the RADIUS server.
> >
> > You might want to use them depending on your setup; when an IOS-XR device
> > receives an unsupported attribute from the RADIUS server it won’t
> > authenticate the subscriber session and will remain down, whereas IOS-XE
> will
> > ignore the unsupported attributes and authenticate the subscriber
> regardless.
> >
> > You may find this interesting/useful
> https://community.cisco.com/t5/service-
> > providers-documents/asr9000-xr-bng-deployment-guide/ta-p/3110436
> >
> > Regards,
> > Tom
> >
> > From: Scott Miller <fordlove at gmail.com>
> > Sent: 24 April 2020 23:24
> > To: Tom Chambers <Tom.Chambers at kcom.com>
> > Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> > Subject: Re: [c-nsp] ASR 9010 BNG setup
> >
> > Ah, now that makes more sense. Got it. Clear as mud now.
> >
> > aaa group server radius RADIUS_SERVER
> > deadtime 40
> > server-private xx.xx.xx.xx auth-port 1812 acct-port 1813
> > key 7 xyzxyzxyz
> > !
> >
> > Another question. The doc's talk about the attribute list. Looks like
> they want
> > them in some sort of access-list. Is that correct? On the 1002 we have
> no
> > such access-list
> >
> > Example:
> > SUMMARY STEPS
> > configure
> > aaa group server radius name
> > accounting accept radius_attribute_list_name authorization reply accept
> > radius_attribute_list_name
> >
> >
> > All we have on the 1002 is:
> > aaa group server radius RADIUS_SERVER
> > server xx.xx.xx.xx auth-port 1812 acct-port 1813 !
> > aaa authentication login VTY_Auth_List group AAA_TACACs_Servers enable
> > aaa authentication login VTY_Auth_None none aaa authentication ppp
> default
> > group RADIUS_SERVER aaa authorization exec default group tacacs+ if-
> > authenticated aaa authorization network default group RADIUS_SERVER aaa
> > authorization auth-proxy default group RADIUS_SERVER aaa accounting send
> > stop-record authentication failure aaa accounting send stop-record always
> > aaa accounting delay-start aaa accounting nested aaa accounting update
> > newinfo periodic 60 aaa accounting exec default start-stop group tacacs+
> aaa
> > accounting commands 0 default start-stop group tacacs+ aaa accounting
> > commands 1 default start-stop group tacacs+ aaa accounting commands 15
> > default start-stop group tacacs+ aaa accounting network default
> start-stop
> > group RADIUS_SERVER aaa accounting connection default start-stop group
> > RADIUS_SERVER aaa accounting system default action-type start-stop
> group
> > RADIUS_SERVER !
> > aaa accounting resource default start-stop group RADIUS_SERVER !
> > aaa server radius dynamic-author
> > server-key 7 xyzxyzxyz
> > port 3799
> > auth-type any
> > !
> > Then a bba-group
> > sub interface layer 2 with vlan specified virtual-template
> >
> > and that's it. If I'm making it out to be harder than it really is,
> just ignore me.
> > I'm still following the doc to get it set up. Just jumping ahead and
> probably
> > confusing myself.
> >
> > Thanks,
> >
> >
> >
> > On Fri, Apr 24, 2020 at 4:11 PM Tom Chambers
> > <Tom.Chambers at kcom.com<mailto:Tom.Chambers at kcom.com>> wrote:
> > Hi,
> >
> > The 'server x.x.x.x auth-port Y acct-port X' command in the RADIUS server
> > group is looking for an already configured public (global) server,
> you'll need to
> > configure the server globally using 'radius-server host x.x.x.x
> auth-port Y acct-
> > port Z' for this to work.
> > Alternatively you could use 'server-private x.x.x.x auth-port Y
> acct-port Z' in
> > the RADIUS server group, this will specify the server for just the group
> you are
> > using and not require it to be in the global config as well.
> >
> > Regards,
> > Tom
> > -----Original Message-----
> > From: cisco-nsp <cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-
> > bounces at puck.nether.net>> On Behalf Of Scott Miller
> > Sent: 24 April 2020 20:21
> > To: cisco-nsp <cisco-nsp at puck.nether.net<mailto:cisco-
> > nsp at puck.nether.net>>
> > Subject: [c-nsp] ASR 9010 BNG setup
> >
> > Hello all. We have an ASR9010 we're using as a PE router, and we'd like
> to
> > migrate our PPPoE off of an ASR1002x onto the 9010. Reading the
> > documentation here:
> >
> > https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-
> > 4/bng/configuration/guide/b-bng-cg-asr9000-64x/b-bng-cg-asr9000-
> > 64x_chapter_011.html
> >
> >
> > on the Configuring RADIUS Server Group section, I enter the following,
> but
> > get an error:
> >
> > RP/0/RSP0/CPU0:asbr1.kalhoc#config t
> > Fri Apr 24 13:13:47.801 MDT
> > RP/0/RSP0/CPU0:asbr1.kalhoc(config)#aaa group server radius
> > RADIUS_SERVER RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# deadtime
> > 40 RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# source-interface
> > Loopback1 RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#server
> xx.xx.xx.xx
> > auth-port
> > 1812 acct-port 1813
> > RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#commit
> > Fri Apr 24 13:13:58.996 MDT
> >
> > % Failed to commit one or more configuration items during a pseudo-atomic
> > operation. All changes made have been reverted. Please issue 'show
> > configuration failed [inheritance]' from this session to view the errors
> > RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#
> >
> > if I remove the server IP line, it commits fine, but I can't add
> anything else
> > under the aaa group server radius RADIUS_SERVER config. I see in the
> error
> > it's an "inheritance" issue, but not seeing what I'm missing.
> > Following the doc top down. And yes, Loopback1 does exist.
> >
> > show config:
> > !
> > aaa group server radius RADIUS_SERVER
> > deadtime 40
> > source-interface Loopback1
> > !
> >
> > Cisco ASR9010
> > Version 6.4.2
> > RSP440-SE
> > RP/0/RSP0/CPU0:asbr1.kalhoc#show install active Fri Apr 24 13:16:10.341
> > MDT Secure Domain Router: Owner
> >
> > Node 0/RSP0/CPU0 [RP] [SDR: Owner]
> > Boot Device: disk0:
> > Boot Image:
> > /disk0/asr9k-os-mbi-6.4.2.CSCvj68649-1.0.0/0x100305/mbiasr9k-rsp3.vm
> > Active Packages:
> > disk0:asr9k-services-infra-6.4.2
> > disk0:asr9k-bng-px-6.4.2
> > disk0:asr9k-doc-px-6.4.2
> > disk0:asr9k-fpd-px-6.4.2
> > disk0:asr9k-li-px-6.4.2
> > disk0:asr9k-mcast-px-6.4.2
> > disk0:asr9k-mgbl-px-6.4.2
> > disk0:asr9k-mini-px-6.4.2
> > disk0:asr9k-mpls-px-6.4.2
> > disk0:asr9k-optic-px-6.4.2
> > disk0:asr9k-services-px-6.4.2
> > disk0:asr9k-video-px-6.4.2
> > disk0:asr9k-k9sec-px-6.4.2
> > disk0:asr9k-px-6.4.2.CSCvh04484-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvi41352-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvj53644-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvj60378-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvj68649-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvk28954-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvk68799-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvm95530-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvn15572-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvn20544-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvn71097-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvn81268-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvn92927-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvn95386-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvo03672-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvo42210-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvo43692-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvo47563-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvo48401-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvo64374-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvo90073-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvp25269-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvp52020-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvp53808-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvq07763-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvq08552-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvq27252-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvq41820-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvq55791-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvq61177-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvq75447-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvr23452-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvr29912-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvr58491-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvr62647-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvs00535-1.0.0
> > disk0:asr9k-px-6.4.2.CSCvs03903-1.0.0
> >
> > Any help in where I'm going wrong already would be greatly appreciated.
> >
> > Scott
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-
> > nsp at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> >
> > This email has been scanned for all viruses.
> >
> > Please consider the environment before printing this email.
> >
> > The content of this email and any attachment is private and may be
> > privileged. If you are not the intended recipient, any use, disclosure,
> copying
> > or forwarding of this email and/or its attachments is unauthorised. If
> you have
> > received this email in error please notify the sender by email and
> delete this
> > message and any attachments immediately. Nothing in this email shall bind
> > the Company or any of its subsidiaries or businesses in any contract or
> > obligation, unless we have specifically agreed to be bound.
> >
> > KCOM Group Limited is a private limited company incorporated in England
> > and Wales, company number 02150618 and whose registered office is at 37
> > Carr Lane, Hull, HU1 3RE
> >
> >
> >
> >
> > This email has been scanned for all viruses.
> >
> > Please consider the environment before printing this email.
> >
> > The content of this email and any attachment is private and may be
> > privileged. If you are not the intended recipient, any use, disclosure,
> copying
> > or forwarding of this email and/or its attachments is unauthorised. If
> you have
> > received this email in error please notify the sender by email and
> delete this
> > message and any attachments immediately. Nothing in this email shall bind
> > the Company or any of its subsidiaries or businesses in any contract or
> > obligation, unless we have specifically agreed to be bound.
> >
> > KCOM Group Limited is a private limited company incorporated in England
> > and Wales, company number 02150618 and whose registered office is at 37
> > Carr Lane, Hull, HU1 3RE
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> ---------- Forwarded message ----------
> From: Brian Turnbow via cisco-nsp <cisco-nsp at puck.nether.net>
> To: Scott Miller <fordlove at gmail.com>
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> Bcc:
> Date: Mon, 27 Apr 2020 08:10:45 +0000
> Subject: Re: [c-nsp] ASR 9010 BNG setup
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list