[rbak-nsp] internal dhcp and global radius authentication (with dynamic clips)

misha at iim.pl misha at iim.pl
Wed Aug 11 18:21:28 EDT 2010 

You're right!

Thanks!

> Hi Misha,
> Does your radius server send the context name ("BRAS") as an attribute to
> the redback in the access accept? If the answer is no, this is probably
> the
> issue. The redback router does not know that the dynamic clips subscriber
> should be bound to an interface in context BRAS. This is because the AAA
> username in dynamic clips is is the end client MAC address (no domain).
>
> thanks
> sridhar
>
> On Wed, Aug 11, 2010 at 12:14 PM, <misha at iim.pl> wrote:
>
>>
>> I'm beginner user of  redback routers. From about 2 weeks I try to
>> create
>> simply configuration but I still have problems.
>>
>> I want to create BRAS context with internal dhcp serwer and GLOBAL
>> radius
>> authentication (radius client in context local).
>>
>> In the global section:
>> aaa global authentication radius context  local
>>
>> in the context BRAS:
>>  aaa authentication  subscriber radius global
>>  dhcp policy...
>>
>> in context local:
>> radius server 192.168...  key    flksjdkfjsdkf
>>
>> All the configuration below... this configuration does'nt works, dynamic
>> clips are not created
>> BUT:
>> 1. communication with radius works fine (in the radius logs i see
>> ACCEPTED);
>> 2.  Whet I turn off authentication in context BRAS (aaa authentication
>> subscriber none)  - it works - so DHCP iS working
>> 3.  When I move the radius to the context BRAS (without  global
>> authenticaation) -works!  - so radius is working
>>
>> MK
>>
>>
>> Current configuration:
>> !
>> !  Configuration last changed by user 'misha' at Mon Aug  9 10:52:45
>> 2010
>> !
>> !
>> !
>> !
>> !
>> aaa global authentication subscriber radius context local
>> !
>> !
>> service multiple-contexts
>> !
>> !
>> !
>> !
>> !
>> !
>>
>>
>> !
>> !
>> !
>> context local
>> !
>>  ip domain-lookup
>> !
>>  interface mgmt
>>  ip address 192.168.2.9/24
>>  logging console
>> !
>>  aaa authentication administrator local
>> !
>>  administrator leon encrypted 1 $1$........$5oNrzEf/HtcRZcaSZEVQa0
>>   privilege start 15
>>   privilege max 15
>>  administrator misha encrypted 1 $1$........$t8SQPi4ZT/TyNvolUGhOv1
>>   privilege start 10
>>   privilege max 15
>> !
>>  radius server 192.168.2.8 encrypted-key
>> 64DAB7650584FA7D452BD158B882C838
>> !
>>  ip route 0.0.0.0/0 192.168.2.254
>>  service ssh server
>> !
>>
>>
>> !
>> context BRAS
>> !
>>  description  routing_context
>> !
>>  no ip domain-lookup
>> !
>>  interface LAN multibind
>>  description BRAS LAN GW
>>  ip address 83.142.199.193/26
>>  dhcp server interface
>>  ip arp proxy-arp
>> !
>>  interface WAN
>>  ip address 83.142.192.100/29
>>  no logging console
>> !
>>  aaa authentication administrator local
>>  aaa authentication administrator maximum sessions 1
>>  aaa authentication subscriber radius global
>> !
>> !
>>  subscriber default
>>   dhcp max-addrs 1
>> !
>>  subscriber name 00:1F:F3:5B:67:40
>> !
>>  ip route 0.0.0.0/0 83.142.192.102
>>  no service ssh server
>> !
>>  dhcp server policy
>>   nak-on-subnet-deletion
>>   option domain-name mi.pl
>>   offer-lease-time 300
>>   default-lease-time 900
>>   maximum-lease-time 900
>>   subnet 83.142.199.192/26
>>     range 83.142.199.210 83.142.199.250
>>     option domain-name-server 83.142.192.2
>>
>>
>> !
>> ! ** End Context **
>>  logging tdm console
>>  logging active
>>  logging standby short
>> !
>> !
>> !
>> !Ethernet connectivity fault management configuration
>> !
>> !
>> !
>> port ethernet 1/1
>> ! XCRP management port on slot 1
>>  no shutdown
>>  bind interface mgmt local
>> !
>> card carrier 2
>> !
>> port ethernet 2/1
>>  no shutdown
>>  medium-type copper
>>  encapsulation dot1q
>>  dot1q pvc 2000 encapsulation multi
>>  bind interface WAN BRAS
>> !
>> port ethernet 2/2
>>  no shutdown
>>  medium-type copper
>>  encapsulation dot1q
>>  dot1q pvc 15 encapsulation multi
>>  service clips dhcp context BRAS
>> !
>>  ssh server full-drop 10
>> !
>>  ssh server rate-drop 50
>> !
>>  ssh server start-drop 5
>> !
>>  system hostname RedBack
>> !
>> no service console-break
>> !
>> service crash-dump-dram
>> !
>> no service auto-system-recovery
>> !
>> end
>> [local]RedBack#
>>
>>
>> _______________________________________________
>> redback-nsp mailing list
>> redback-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>
>

More information about the redback-nsp mailing list