[rbak-nsp] problem of authentification on last-resort interface

Ian Calderbank ian at calderbankconsulting.co.uk
Sat Apr 17 15:41:27 EDT 2010


>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 17 Apr 2010 12:36:31 -0400
> From: "Greg GOUDOU" <greg.goudou at gmail.com>
> To: "'Denis Mikhaylovskiy'" <denis.mikhaylovskiy at ericsson.com>,
>        <redback-nsp at puck.nether.net>
> Subject: Re: [rbak-nsp] problem of authentification on last-resort
>        interface
> Message-ID: <4bc9e38f.9653f10a.3be1.ffffade6 at mx.google.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
> Thanks for your answer.
>
> I don?t understand why, when I configure the both interfaces into
> multibind, (without last resort) , neither the client1 nor the client2
> cannot authenticate.
>

try debug aaa authentication, if that gives you no hint, send your full
config and the full show subscriber info. don't hide the domain names or the
IP's. you probably have something missing that means you can't bind. A
domain name error is a common one. or maybe a radius profile error. someone
can spot it if you send the full information.


> Whereas when I configure one of them into the multibind lastresort, the
> both can authenticate but they have bound to the same interface.
>
>
Last resort interface by design is the last resort. there is only one last
resort, thats the whole point.

if you want them to bind to differnet interfaces, then you have to set their
ip addresses so that they match the addresses of the two different
interfaces (use non-loopback subscriber interfaces, with a netmask that
includes the subscriber ip).

that said, there isn't much reason to want two subscribers to bind to two
different interfaces in the same context. one binding interface does for 99%
of designs.

cheers
Ian

>
> Regards,
>
>
>
> Gr?gory
>
>
>
> De : Denis Mikhaylovskiy [mailto:denis.mikhaylovskiy at ericsson.com]
> Envoy? : samedi 17 avril 2010 04:21
> ? : 'greg.goudou at gmail.com'; 'redback-nsp at puck.nether.net'
> Objet : Re: [rbak-nsp] problem of authentification on last-resort interface
>
>
>
> Hi,
> It is not possible to have more than one last-resort interface by design in
> context.
> Actually SmartEdge doesn't pass clients through multibind interfaces at all
> :).
>
> As per 'show subs active' output I can conclude that both clients got fixed
> ip assignment by raidus. And I do not understand what is the problem.
>
>
> /denis
>
>  _____
>
> From: redback-nsp-bounces at puck.nether.net
> To: redback-nsp at puck.nether.net
> Sent: Fri Apr 16 11:22:01 2010
> Subject: [rbak-nsp] problem of authentification on last-resort interface
>
>
>
> Hi,
>
>
>
> I meet a problem about a  configuration. I cannot create in a same context,
> 2 multibind last-resort interfaces.
>
> But,  I already have a PPPoE client connected in this context (we will
> called ?context A?). Below, his configuration:
>
>
>
> Context A vpn-rd XXXX:6
>
> interface Loop_client1 loopback
>
>  ip address A.B.C.D/32 with A.B.C.D/32 is a public IP address
>
>
>
> interface PPP-client1 multibind lastresort
>
>  ip unnumbered Loop_client1
>
>
>
> the second client is configured as defined below :
>
>
>
> Context A vpn-rd XXXX:6
>
> interface Loop_client2 loopback
>
>  ip address A.B.F.G/32 with A.B.F.G/32 is a public IP address
>
>
>
> interface PPP-client2 multibind
>
>  ip unnumbered Loop_client2
>
>
>
> when we verify the state of the connection of the clients, we notice :
>
> For client 1:
>
> client1 at realm.xx
>
>        Agent Remote ID   "client1"
>
>        Circuit   4/8 vlan-id 426 pppoe 21240
>
>        Internal Circuit   4/8:1023:63/6/2/44395
>
>        Interface bound  PPP-client1
>
>        Current port-limit unlimited
>
>        context-name A (applied)
>
>        dns primary X.X.X.X (applied)
>
>        dns secondary Y.Y.Y.Y (applied)
>
>        ip address A.B.C.D (applied)
>
>        forward policy in FORWARD_FIRSTBOOT (applied)
>
>
>
> For client2, I receive this state of connection:
>
> client2 at realm.xx
>
>        Agent Remote ID   "Client2"
>
>        Circuit   4/8 vlan-id 401 pppoe 16731
>
>        Internal Circuit   4/8:1023:63/6/2/34556
>
>        Interface bound  PPP-client1
>
>        Current port-limit unlimited
>
>        context-name A (applied)
>
>        dns primary X.X.X.X (applied)
>
>        dns secondary Y.Y.Y.Y (applied)
>
>        ip address A.B.F.G (applied)
>
>        forward policy in FORWARD_FIRSTBOOT (applied)
>
>
>
> Therefore, I would like these clients have each of them, a public IP
> address and pass through their own interface bound.
>
>
>
> If somebody have a solution, let me know.
>
>
>
> Regards,
>
>
>
> gOOdman
>
>
>
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://puck.nether.net/pipermail/redback-nsp/attachments/20100417/9a7a9c03/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Sat, 17 Apr 2010 13:14:41 -0400
> From: Denis Mikhaylovskiy <denis.mikhaylovskiy at ericsson.com>
> To: "'greg.goudou at gmail.com'" <greg.goudou at gmail.com>,
>        "'redback-nsp at puck.nether.net'" <redback-nsp at puck.nether.net>
> Subject: Re: [rbak-nsp] problem of authentification on last-resort
>        interface
> Message-ID:
>        <
> 2B6B8CA0ACA1B243820A777B0DBA53255007D5F86F at EUSAACMS0703.eamcs.ericsson.se>
>
> Content-Type: text/plain; charset="utf-8"
>
> I'm not 100% sure because ip addressing is hidden in your config but
> anyway...
> Your clients fail to bind without last-resort because ip address given by
> radius is not within subnet of any 'normal' multibind interfaces of context.
> If ip address assignment goes from radius then SmartEdge does lookup
> through subnets of all multibind interfaces. If lookup fails then binding
> fails too until you have last-resort.
>
> HIH
> /denis
>
> ________________________________
> From: Greg GOUDOU
> To: Denis Mikhaylovskiy; redback-nsp at puck.nether.net
> Sent: Sat Apr 17 11:36:31 2010
> Subject: RE: [rbak-nsp] problem of authentification on last-resort
> interface
> Hi
> Thanks for your answer.
> I don?t understand why, when I configure the both interfaces into
> multibind, (without last resort) , neither the client1 nor the client2
> cannot authenticate.
> Whereas when I configure one of them into the multibind lastresort, the
> both can authenticate but they have bound to the same interface.
>
> Regards,
>
> Gr?gory
>
> De : Denis Mikhaylovskiy [mailto:denis.mikhaylovskiy at ericsson.com]
> Envoy? : samedi 17 avril 2010 04:21
> ? : 'greg.goudou at gmail.com'; 'redback-nsp at puck.nether.net'
> Objet : Re: [rbak-nsp] problem of authentification on last-resort interface
>
>
> Hi,
> It is not possible to have more than one last-resort interface by design in
> context.
> Actually SmartEdge doesn't pass clients through multibind interfaces at all
> :).
>
> As per 'show subs active' output I can conclude that both clients got fixed
> ip assignment by raidus. And I do not understand what is the problem.
>
>
> /denis
>
> ________________________________
> From: redback-nsp-bounces at puck.nether.net
> To: redback-nsp at puck.nether.net
> Sent: Fri Apr 16 11:22:01 2010
> Subject: [rbak-nsp] problem of authentification on last-resort interface
>
> Hi,
>
> I meet a problem about a  configuration. I cannot create in a same context,
> 2 multibind last-resort interfaces.
> But,  I already have a PPPoE client connected in this context (we will
> called ?context A?). Below, his configuration:
>
> Context A vpn-rd XXXX:6
> interface Loop_client1 loopback
>  ip address A.B.C.D/32 with A.B.C.D/32 is a public IP address
>
> interface PPP-client1 multibind lastresort
>  ip unnumbered Loop_client1
>
> the second client is configured as defined below :
>
> Context A vpn-rd XXXX:6
> interface Loop_client2 loopback
>  ip address A.B.F.G/32 with A.B.F.G/32 is a public IP address
>
> interface PPP-client2 multibind
>  ip unnumbered Loop_client2
>
> when we verify the state of the connection of the clients, we notice :
> For client 1:
> client1 at realm.xx<mailto:client1 at realm.xx>
>        Agent Remote ID   "client1"
>        Circuit   4/8 vlan-id 426 pppoe 21240
>        Internal Circuit   4/8:1023:63/6/2/44395
>        Interface bound  PPP-client1
>        Current port-limit unlimited
>        context-name A (applied)
>        dns primary X.X.X.X (applied)
>        dns secondary Y.Y.Y.Y (applied)
>        ip address A.B.C.D (applied)
>        forward policy in FORWARD_FIRSTBOOT (applied)
>
> For client2, I receive this state of connection:
> client2 at realm.xx<mailto:client2 at realm.xx>
>        Agent Remote ID   "Client2"
>        Circuit   4/8 vlan-id 401 pppoe 16731
>        Internal Circuit   4/8:1023:63/6/2/34556
>        Interface bound  PPP-client1
>        Current port-limit unlimited
>        context-name A (applied)
>        dns primary X.X.X.X (applied)
>        dns secondary Y.Y.Y.Y (applied)
>        ip address A.B.F.G (applied)
>        forward policy in FORWARD_FIRSTBOOT (applied)
>
> Therefore, I would like these clients have each of them, a public IP
> address and pass through their own interface bound.
>
> If somebody have a solution, let me know.
>
> Regards,
>
> gOOdman
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://puck.nether.net/pipermail/redback-nsp/attachments/20100417/73d33502/attachment.html
> >
>
> ------------------------------
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
>
> End of redback-nsp Digest, Vol 28, Issue 15
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20100417/56435da5/attachment-0001.html>


More information about the redback-nsp mailing list