[c-nsp] ASR1000 IOS XE / ISG L2 DHCP subscribers
Mark Tees
marktees at gmail.com
Wed Jan 8 00:22:03 EST 2020
Hi all,
Sorry about the delay.
I tried out returning RADIUS responses like this example and could
never get the returned attributes to work. Tried out multi service
interfaces and a few things with high levels of debugging etc could
find what was the show stopper.
The only thing that the ASR apeared to listen to was whether it was
access accept or reject.
I would like to be able to do Framed IP/Route/VRF.
This part I pulled from example in
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-16-10/isg-xe-16-10-book/isg-dhcp-radius-proxy.html
But converted to match things I had configured for IP/VRF etc.
Cleartext-Password := "cisco"
Service-Type = Framed-User,
Framed-IP-Address = 10.0.0.3,
Framed-IP-Netmask = 255.255.0.0,
Framed-Route += "192.0.2.1 255.255.255.0 203.0.113.1",
Cisco-AVPair += "ip:lease-duration=600",
Cisco-AVPair += "ip:default-ipv4-gateway=10.0.0.1",
Cisco-AVPair += "ip:primary-dns=10.40.0.1",
Cisco-AVPair += "ip:secondary-dns=10.0.0.2",
Cisco-AVPair += "ip:vrf-id=RED",
Cisco-AVPair += "subscriber:classname=dhcp-red-class",
I think I am missing a component of how ISG fits together with DHCP
RADIUS Proxy.
At present I am using the below config as a dynamic VLAN gateway for a
handful WISP CGN customers. We will be moving I believe to another
platform either Junos/XR or other that treats v4/v6 equally in this
aspect.
Have dropped off most of the config to the bits that seem relevant.
!
aaa new-model
!
!
aaa group server radius test-rad
server name rad1
server name rad2
server-private 1.1.1.1 auth-port 1812 acct-port 1813 key 7 x
server-private 1.1.1.1 auth-port 1812 acct-port 1813 key 7 x
ip radius source-interface x.x
!
aaa authentication login default local enable
aaa authentication login IPOE group test-rad
aaa authentication ppp test-rad if-needed group test-rad
aaa authorization exec default local group test-rad
aaa authorization network default group test-rad
aaa authorization network test-rad group test-rad
aaa authorization network IPOE group test-rad
aaa authorization configuration default group radius
aaa authorization configuration IA_PD group radius
aaa authorization subscriber-service default group test-rad
aaa authorization subscriber-service IPOE group test-rad
aaa accounting delay-start
aaa accounting update periodic 15
aaa accounting network default start-stop group test-rad
aaa accounting network test-rad start-stop group test-rad
aaa accounting network IPOE start-stop group test-rad
!
!
!
ip dhcp relay information trust-all
!
!
!
ip dhcp pool 10.18.0.0/16
network 10.18.0.0 255.255.0.0
default-router 10.18.0.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
!
subscriber service multiple-accept
subscriber service session-accounting
subscriber templating
!
!
!
!
class-map type traffic match-any tmap1
!
class-map type traffic match-any accounting
!
!
class-map type control match-all IP_UNAUTH_COND
match timer IP_UNAUTH_TIMER
match authen-status unauthenticated
!
policy-map type service radius-accounting
class type traffic accounting
accounting aaa list IPOE
!
!
!
policy-map type control IPOE_SANDPIT
class type control IP_UNAUTH_COND event timed-policy-expiry
10 service disconnect
!
class type control always event account-logon
10 authenticate aaa list IPOE
!
class type control always event session-start
10 authorize aaa list IPOE password cisco123 identifier circuit-id
50 set-timer IP_UNAUTH_TIMER 10
!
class type control always event account-logoff
10 service disconnect delay 5
!
class type control always event session-restart
10 authorize aaa list IPOE password cisco123 identifier circuit-id
50 set-timer IP_UNAUTH_TIMER 10
!
class type control always event access-reject
!
!
!
interface Loopback13
ip address 10.18.0.1 255.255.0.0
!
!
!
!
interface GigabitEthernet0/0/1
no ip address
speed 1000
no negotiation auto
cdp enable
!
interface GigabitEthernet0/0/1.31
description IPOE_TEST
encapsulation dot1Q 31 second-dot1q any
ip unnumbered Loopback13
service-policy type control IPOE_SANDPIT
ip subscriber l2-connected
initiator dhcp
!
!
!
radius-server attribute nas-port format d
radius-server attribute 31 mac format ietf
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 remote-id
radius-server attribute 31 append-circuit-id
radius-server configure-nas
radius-server retransmit 2
On Sun, 10 Nov 2019 at 03:06, James Bensley
<jwbensley+cisco-nsp at gmail.com> wrote:
>
> On Thu, 7 Nov 2019 at 07:18, Mark Tees <marktees at gmail.com> wrote:
> >
> > Hi listers,
> >
> > I was wondering if anyone out there has an example config of ISG L2 DHCP
> > subscribers with AAA controlled VRF membership. Happy to pay for it.
> > My next step is TAC.
> >
> > I have a basic setup working with a dynamic VLAN interface and IP pool
> > working with auth to RADIUS.
> >
> > What hasn't worked is getting ISG to listen to Framed-IP or AAA VRF config.
> >
> > I would like to be able to use AAA/RADIUS to direct sessions into a
> > VRF for CGN versus global IP access.
> >
> >
> > Thanks,
> >
> > Mark
>
>
> Hi Mark,
>
> What RADIUS attributes are you returning / have you tried to return
> which failed?
>
> Cheers,
> James.
--
Regards,
Mark Tees
More information about the cisco-nsp
mailing list