[rbak-nsp] problem of authentification on last-resort interface

Denis Mikhaylovskiy denis.mikhaylovskiy at ericsson.com
Sat Apr 17 13:14:41 EDT 2010


I'm not 100% sure because ip addressing is hidden in your config but anyway...
Your clients fail to bind without last-resort because ip address given by radius is not within subnet of any 'normal' multibind interfaces of context.
If ip address assignment goes from radius then SmartEdge does lookup through subnets of all multibind interfaces. If lookup fails then binding fails too until you have last-resort.

HIH
/denis

________________________________
From: Greg GOUDOU
To: Denis Mikhaylovskiy; redback-nsp at puck.nether.net
Sent: Sat Apr 17 11:36:31 2010
Subject: RE: [rbak-nsp] problem of authentification on last-resort interface
Hi
Thanks for your answer.
I don’t understand why, when I configure the both interfaces into multibind, (without last resort) , neither the client1 nor the client2 cannot authenticate.
Whereas when I configure one of them into the multibind lastresort, the both can authenticate but they have bound to the same interface.

Regards,

Grégory

De : Denis Mikhaylovskiy [mailto:denis.mikhaylovskiy at ericsson.com]
Envoyé : samedi 17 avril 2010 04:21
À : 'greg.goudou at gmail.com'; 'redback-nsp at puck.nether.net'
Objet : Re: [rbak-nsp] problem of authentification on last-resort interface


Hi,
It is not possible to have more than one last-resort interface by design in context.
Actually SmartEdge doesn't pass clients through multibind interfaces at all :).

As per 'show subs active' output I can conclude that both clients got fixed ip assignment by raidus. And I do not understand what is the problem.


/denis

________________________________
From: redback-nsp-bounces at puck.nether.net
To: redback-nsp at puck.nether.net
Sent: Fri Apr 16 11:22:01 2010
Subject: [rbak-nsp] problem of authentification on last-resort interface

Hi,

I meet a problem about a  configuration. I cannot create in a same context, 2 multibind last-resort interfaces.
But,  I already have a PPPoE client connected in this context (we will called “context A”). Below, his configuration:

Context A vpn-rd XXXX:6
interface Loop_client1 loopback
  ip address A.B.C.D/32 with A.B.C.D/32 is a public IP address

interface PPP-client1 multibind lastresort
 ip unnumbered Loop_client1

the second client is configured as defined below :

Context A vpn-rd XXXX:6
interface Loop_client2 loopback
  ip address A.B.F.G/32 with A.B.F.G/32 is a public IP address

interface PPP-client2 multibind
  ip unnumbered Loop_client2

when we verify the state of the connection of the clients, we notice :
For client 1:
client1 at realm.xx<mailto:client1 at realm.xx>
        Agent Remote ID   "client1"
        Circuit   4/8 vlan-id 426 pppoe 21240
        Internal Circuit   4/8:1023:63/6/2/44395
        Interface bound  PPP-client1
        Current port-limit unlimited
        context-name A (applied)
        dns primary X.X.X.X (applied)
        dns secondary Y.Y.Y.Y (applied)
        ip address A.B.C.D (applied)
        forward policy in FORWARD_FIRSTBOOT (applied)

For client2, I receive this state of connection:
client2 at realm.xx<mailto:client2 at realm.xx>
        Agent Remote ID   "Client2"
        Circuit   4/8 vlan-id 401 pppoe 16731
        Internal Circuit   4/8:1023:63/6/2/34556
        Interface bound  PPP-client1
        Current port-limit unlimited
        context-name A (applied)
        dns primary X.X.X.X (applied)
        dns secondary Y.Y.Y.Y (applied)
        ip address A.B.F.G (applied)
        forward policy in FORWARD_FIRSTBOOT (applied)

Therefore, I would like these clients have each of them, a public IP address and pass through their own interface bound.

If somebody have a solution, let me know.

Regards,

gOOdman



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20100417/73d33502/attachment-0001.html>


More information about the redback-nsp mailing list