cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Register for SecureX webinars to learn about our newest integrations and features.


2602
Views
15
Helpful
16
Replies
Highlighted
Beginner

Cisco ASR1002 and Freeradius 2.1.12 problems

Hello.

 

ISP that I work in is using VXR7206 routers for PPPoE aggregation. 7206 are connected to Freeradius for AAA. I'm trying to add ASR1002 with IOS XE 3.16.10S (asr1000rp1-adventerprise - latest) and for 2 days now I can't get it work.

Here is my router configruation of ppp, aaa and radius:

 

aaa new-model
!
!
aaa group server radius RADIUS_SERVER
server name RADIUS
!
aaa authentication ppp Static_Users group RADIUS_SERVER
aaa authentication ppp WDSL_Users group RADIUS_SERVER
aaa authorization network RADIUS_SERVER group RADIUS_SERVER
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting update newinfo periodic 3
aaa accounting network RADIUS_SERVER start-stop group RADIUS_SERVER
aaa accounting connection RADIUS_SERVER start-stop group RADIUS_SERVER
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 1 0
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00 1440
!
!
!
!
!
!
!
!
!
!
!


ip name-server 46.229.247.40 1.1.1.1 46.229.247.41

!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bba-group pppoe WDSL-Users
virtual-template 1
nas-port-id format c
sessions per-mac limit 1
sessions auto cleanup
!
bba-group pppoe Static-Users
virtual-template 2
nas-port-id format c
sessions per-mac limit 1
sessions auto cleanup
!
!
!
interface Loopback0
description ***core-ck***
ip address "public ip" 255.255.255.255
!
interface Port-channel1
no ip address
negotiation auto
hold-queue 225 in
!
interface Port-channel1.67
description Static-Users
encapsulation dot1Q 67
pppoe enable group Static-Users
!
interface Port-channel1.207
description PPPoE-WDSL-Users
encapsulation dot1Q 207
pppoe enable group WDSL-Users
pppoe max-sessions 800
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
description WDSL-Users
mtu 1492
ip unnumbered Loopback0
timeout absolute 1440 0
no peer default ip address
ppp authentication chap WDSL_Users
ppp authorization RADIUS_SERVER
ppp accounting RADIUS_SERVER
!
interface Virtual-Template2
description Static-Users
mtu 1492
ip unnumbered Loopback0
no peer default ip address
ppp authentication chap Static_Users
ppp authorization RADIUS_SERVER
ppp accounting RADIUS_SERVER
!
radius-server attribute 4 "loopback ip"
radius-server attribute 31 mac format ietf
radius-server attribute 31 send nas-port-detail mac-only
!
radius server RADIUS
address ipv4 10.0.101.20 auth-port 1812 acct-port 1813
key ***hiden***

 

In Radius log I can see that users get "Login OK" and IP allocation, but few seconds later I'm getting errors: "IP Allocation FAILED" and "stop packet with zero session length".

 

When I issue show aaa sessions I can see all my customers but with IP Address: 0.0.0.0

Also when issue show subscriber session I'm getting this on photo. First and second command are issued in 2 seconds. No one is able to connect to PPPoE.

Untitled.jpg

 

 

 

 

It is hard to debug this because at same time more than 500 clients are trying to connect to PPPoE and debug log is passing by like crazy.

It looks like IP address can't be framed and users can't authenticate.

 

Help will be much appreciated.

16 REPLIES 16
Highlighted
VIP Mentor

Hi

You can use debug condition to filter your debugs but debugs will be very helpful to see what’s going on, if there are any unsupported features coming from the radius.
Can you share your radius config (remove any confidential data before sharing)?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Hello.

 

Thank you for your answer. What part of freeradius configuration do you need?

 

Here is part of debug radius log:

Jun  6 01:42:31.817: RADIUS(0000054C): Config NAS IPv6: ::
Jun  6 01:42:31.817: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Jun  6 01:42:31.817: RADIUS/ENCODE(0000054C): acct_session_id: 1346
Jun  6 01:42:31.817: RADIUS(0000054C): sending
Jun  6 01:42:31.818: RADIUS(0000054B): Send Access-Request to 10.0.101.20:1812 onvrf(0) id 1645/59, len 199
Jun  6 01:42:31.818: RADIUS:  authenticator EE 81 44 5F 69 F1 F1 59 - 34 F3 EF 8C D1 C6 19 DC
Jun  6 01:42:31.818: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Jun  6 01:42:31.818: RADIUS:  User-Name           [1]   12  "username"
Jun  6 01:42:31.818: RADIUS:  CHAP-Password       [3]   19  *227"
Jun  6 01:42:31.818: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jun  6 01:42:31.818: RADIUS:  NAS-IP-Address      [4]   6   "publicIPofNAS
Jun  6 01:42:31.818: RADIUS:  Acct-Session-Id     [44]  10  "00000541"
Jun  6 01:42:31.818: RADIUS:  Nas-Identifier      [32]  8   "coreCK"
Jun  6 01:42:31.818: RADIUS:  Event-Timestamp     [55]  6   1591407751
Jun  6 01:42:31.818: RADIUS(0000054B): Sending a IPv4 Radius Packet
Jun  6 01:42:31.818: RADIUS(0000054B): Started 5 sec timeout
Jun  6 01:42:31.819: RADIUS(0000054C): Send Access-Request to 10.0.101.20:1812 onvrf(0) id 1645/60, len 196
Jun  6 01:42:31.819: RADIUS:  authenticator C4 07 6A B7 EF 3B 0B 74 - 34 F3 EF 8C 7D 8A CD 19
Jun  6 01:42:31.819: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Jun  6 01:42:31.819: RADIUS:  User-Name           [1]   9   "username"
Jun  6 01:42:31.819: RADIUS:  CHAP-Password       [3]   19  *
Jun  6 01:42:31.819: RADIUS:  Calling-Station-Id  [31]  19  "c4-ad-34-81-fc-5e"
Jun  6 01:42:31.819: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jun  6 01:42:31.819: RADIUS:  NAS-Port            [5]   6   0
Jun  6 01:42:31.819: RADIUS:  NAS-Port-Id         [87]  34  "ether 0/0/0:4096.207 0/0/0/0/0/0"
Jun  6 01:42:31.819: RADIUS:  Vendor, Cisco       [26]  41
Jun  6 01:42:31.819: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=c4ad.3481.fc5e"
Jun  6 01:42:31.819: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jun  6 01:42:31.819: RADIUS:  NAS-IP-Address      [4]   6   "publicIPofNAS"
Jun  6 01:42:31.819: RADIUS:  Acct-Session-Id     [44]  10  "00000542"
Jun  6 01:42:31.819: RADIUS:  Nas-Identifier      [32]  8   "coreCK"
Jun  6 01:42:31.819: RADIUS:  Event-Timestamp     [55]  6   1591407751
Jun  6 01:42:31.819: RADIUS(0000054C): Sending a IPv4 Radius Packet
Jun  6 01:42:31.819: RADIUS(0000054C): Started 5 sec timeout
Jun  6 01:42:31.831: RADIUS/ENCODE(00000547):Orig. component type = PPPoE
Jun  6 01:42:31.831: RADIUS(00000547): Config NAS IPv6: ::
Jun  6 01:42:31.831: RADIUS(00000547): sending
Jun  6 01:42:31.831: RADIUS/ENCODE(00000546):Orig. component type = PPPoE
Jun  6 01:42:31.831: RADIUS(00000546): Config NAS IPv6: ::
Jun  6 01:42:31.831: RADIUS(00000546): sending
Jun  6 01:42:31.832: RADIUS/ENCODE(00000545):Orig. component type = PPPoE
Jun  6 01:42:31.832: RADIUS(00000545): Config NAS IPv6: ::
Jun  6 01:42:31.832: RADIUS(00000545): sending
Jun  6 01:42:31.832: RADIUS/ENCODE(00000544):Orig. component type = PPPoE
Jun  6 01:42:31.832: RADIUS(00000544): Config NAS IPv6: ::
Jun  6 01:42:31.832: RADIUS(00000544): sending
Jun  6 01:42:31.833: RADIUS(00000547): Send Accounting-Request to 10.0.101.20:1813 onvrf(0) id 1646/69, len 414
Jun  6 01:42:31.833: RADIUS:  authenticator E5 12 9E 23 99 33 0B 7D - F7 94 45 96 04 1D D8 6B
Jun  6 01:42:31.833: RADIUS:  Acct-Session-Id     [44]  10  "0000053D"
Jun  6 01:42:31.833: RADIUS:  Vendor, Cisco       [26]  53
Jun  6 01:42:31.833: RADIUS:   Cisco AVpair       [1]   47  "ppp-disconnect-cause=Lower Layer disconnected"
Jun  6 01:42:31.833: RADIUS:  User-Name           [1]   10  "username"
Jun  6 01:42:31.833: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
Jun  6 01:42:31.833: RADIUS:  Vendor, Cisco       [26]  34
Jun  6 01:42:31.834: RADIUS:   Cisco AVpair       [1]   28  "connect-progress=Auth Open"
Jun  6 01:42:31.834: RADIUS:  Vendor, Cisco       [26]  31
Jun  6 01:42:31.834: RADIUS:   Cisco AVpair       [1]   25  "nas-tx-speed=2000000000"
Jun  6 01:42:31.834: RADIUS:  Vendor, Cisco       [26]  31
Jun  6 01:42:31.834: RADIUS:   Cisco AVpair       [1]   25  "nas-rx-speed=2000000000"
Jun  6 01:42:31.834: RADIUS:  Acct-Session-Time   [46]  6   0
Jun  6 01:42:31.834: RADIUS:  Acct-Input-Octets   [42]  6   0
Jun  6 01:42:31.834: RADIUS:  Acct-Output-Octets  [43]  6   0
Jun  6 01:42:31.834: RADIUS:  Acct-Input-Packets  [47]  6   0
Jun  6 01:42:31.834: RADIUS:  Acct-Output-Packets [48]  6   0
Jun  6 01:42:31.834: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
Jun  6 01:42:31.834: RADIUS:  Vendor, Cisco       [26]  39
Jun  6 01:42:31.834: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=Local Admin Disc"
Jun  6 01:42:31.834: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
Jun  6 01:42:31.834: RADIUS:  Calling-Station-Id  [31]  19  "00-50-7f-32-95-0d"
Jun  6 01:42:31.834: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jun  6 01:42:31.834: RADIUS:  NAS-Port            [5]   6   0
Jun  6 01:42:31.834: RADIUS:  NAS-Port-Id         [87]  34  "ether 0/0/0:4096.207 0/0/0/0/0/0"
Jun  6 01:42:31.834: RADIUS:  Vendor, Cisco       [26]  41
Jun  6 01:42:31.834: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=0050.7f32.950d"
Jun  6 01:42:31.834: RADIUS:  Service-Type        [6]   6   Framed
Jun  6 01:42:3
Jun  6 01:42:31.834: RADIUS:  Event-Timestamp     [55]  6   1591407751
Jun  6 01:42:31.834: R
Jun  6 01:42:31.834: RADIUS:  Acct-Delay-Time     [41]  6   0
Jun  6 01:42:31.834: RADIUS(00000547): Sending a IPv4 Radius Packet
Jun  6 01:42:31.834: RADIUS(00000547): Started 5 sec timeout
Jun  6 01:42:31.835: RADIUS(00000546): Send Accounting-Request to 10.0.101.20:1813 onvrf(0) id 1646/70, len 415
Jun  6 01:42:31.835: RADIUS:  authenticator 82 0B 8E E6 C0 02 F0 19 - 8B A2 D2 87 98 72 D4 5A
Jun  6 01:42:31.835: RADIUS:  Acct-Session-Id     [44]  10  "0000053C"
Jun  6 01:42:31.835: RADIUS:  Vendor, Cisco       [26]  53
Jun  6 01:42:31.835: RADIUS:   Cisco AVpair       [1]   47  "ppp-disconnect-cause=Lower Layer disconnected"
Jun  6 01:42:31.835: RADIUS:  User-Name           [1]   11  "username"
Jun  6 01:42:31.835: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
Jun  6 01:42:31.835: RADIUS:  Vendor, Cisco       [26]  34
Jun  6 01:42:31.835: RADIUS:   Cisco AVpair       [1]   28  "connect-progress=Auth Open"
Jun  6 01:42:31.835: RADIUS:  Vendor, Cisco       [26]  31
Jun  6 01:42:31.835: RADIUS:  Vendor, Cisco       [26]  31  "nas-tx-speed=2000000000"
Jun  6 01:42:31.835: RADIUS:   Cisco AVpair
Jun  6 01:42:3
Jun  6 01:42:31.835: RADIUS:  Acct-Input-Octets   [42]  6   0
Jun  6 01:42:31.835: RADIUS:  Acct-Output-Octets  [43]  6   0
Jun  6 01:42:31.835: RADIUS:  Acct-Input-Packets  [47]  6   0
Jun  6 01:42:31.835: RADIUS:  Acct-Output-Packets [48]  6   0
Jun  6 01:42:31.835: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
Jun  6 01:42:31.835: RADIUS:  Vendor, Cisco       [26]  39
Jun  6 01:42:31.835: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=Local Admin Disc"
Jun  6 01:42:31.835: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
Jun  6 01:42:31.835: RADIUS:  Calling-Station-Id  [31]  19  "00-0c-42-9a-4a-c3"
Jun  6 01:42:31.835: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jun  6 01:42:31.835: RADIUS:  NAS-Port            [5]   6   0
Jun  6 01:42:31.835: RADIUS:  NAS-Port-Id         [87]  34  "ether 0/0/0:4096.207 0/0/0/0/0/0"
Jun  6 01:42:31.835: RADIUS:  Vendor, Cisco       [26]  41
Jun  6 01:42:31.835: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=000c.429a.4ac3"
Jun  6 01:42:31.835: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jun  6 01:42:31.835: RADIUS:  NAS-IP-Address      [4]   6   "publicIPofNAS"
Jun  6 01:42:31.835: RADIUS:  Event-Timestamp     [55]  6   1591407751
Jun  6 01:42:31.835: RADIUS:  Nas-Identifier      [32]  8   "coreCK"
Jun  6 01:42:31.835: RADIUS:  Acct-Delay-Time     [41]  6   0
Jun  6 01:42:31.835: RADIUS(00000546): Sending a IPv4 Radius Packet
Jun  6 01:42:31.836: RADIUS(00000546): Started 5 sec timeout
Jun  6 01:42:31.836: RADIUS(00000545): Send Accounting-Request to 10.0.101.20:1813 onvrf(0) id 1646/71, len 412
Jun  6 01:42:31.836: RADIUS:  authenticator 9B 15 B3 54 95 23 70 B5 - 30 CB 9A 53 E6 D2 67 FA
Jun  6 01:42:31.836: RADIUS:  Acct-Session-Id     [44]  10  "0000053B"
Jun  6 01:42:31.836: RADIUS:  Vendor, Cisco       [26]  53
Jun  6 01:42:31.836: RADIUS:   Cisco AVpair       [1]   47  "ppp-disconnect-cause=Lower Layer disconnected"
Jun  6 01:42:31.836: RADIUS:  User-Name           [1]   8   "username"
Jun  6 01:42:31.836: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
Jun  6 01:42:31.836: RADIUS:  Vendor, Cisco       [26]  34
Jun  6 01:42:31.836: RADIUS:   Cisco AVpair       [1]   28
Jun  6 01:42:3
Jun  6 01:42:31.836: RADIUS:   Cisco AVpair       [1]   25  "nas-tx-speed=2000000000"
Jun  6 01:42:31.836: RADIUS:  Vendor, Cisco       [26]  31
Jun  6 01:42:31.836: RADIUS:   Cisco AVpair       [1]   25  "nas-rx-speed=2000000000"
Jun  6 01:42:31.836: RADIUS:  Acct-Session-Time   [46]  6   0
Jun  6 01:42:31.836: RADIUS:  Acct-Input-Octets   [42]  6   0
Jun  6 01:42:31.836: RADIUS:  Acct-Output-Octets  [43]  6   0
Jun  6 01:42:31.836: RADIUS:  Acct-Input-Packets  [47]  6   0
Jun  6 01:42:31.836: RADIUS:  Acct-Output-Packets [48]  6   0
Jun  6 01:42:31.836: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
Jun  6 01:42:31.836: RADIUS:  Vendor, Cisco       [26]  39
Jun  6 01:42:31.836: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=Local Admin Disc"
Jun  6 01:42:31.836: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
Jun  6 01:42:31.836: RADIUS:  Calling-Station-Id  [31]  19  "ac-84-c6-c3-c2-65"
Jun  6 01:42:31.836: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jun  6 01:42:31.836: RADIUS:  NAS-Port            [5]   6   0
Jun  6 01:42:31.837: RADIUS:  NAS-Port-Id         [87]  34  "ether 0/0/0:4096.207 0/0/0/0/0/0"
Jun  6 01:42:31.837: RADIUS:  Vendor, Cisco       [26]  41
Jun  6 01:42:31.837: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=ac84.c6c3.c265"
Jun  6 01:42:31.837: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jun  6 01:42:31.837: RADIUS:  NAS-IP-Address      [4]   6   "publicIPofNAS"
Jun  6 01:42:31.837: RADIUS:  Event-Timestamp     [55]  6   1591407751
Jun  6 01:42:31.837: RADIUS:  Nas-Identifier      [32]  8   "coreCK"
Jun  6 01:42:31.837: RADIUS:  Acct-Delay-Time     [41]  6   0
Jun  6 01:42:31.837: RADIUS(00000545): Sending a IPv4 Radius Packet
Jun  6 01:42:31.818: RADIUS:  Calling-Station-Id  [31]  19  "d4-ca-6d-1b-52-27"
Jun  6 01:42:31.818: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jun  6 01:42:31.818: RADIUS:  NAS-Port            [5]   6   0
Jun  6 01:42:31.818: RADIUS:  NAS-Port-Id         [87]  34  "ether 0/0/0:4096.207 0/0/0/0/0/0"
Jun  6 01:42:31.818: RADIUS:  Vendor, Cisco       [26]  41
Jun  6 01:42:31.818: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=d4ca.6d1b.5

 

Highlighted

I wanted to see all attributes you're returning to ASR. Also can you run the debug on the ASR itself? I believe, there's 1 attribute it doesn't like or interpreting it badly.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Hello.

 

In previous reply I added debug radius from ASR. Last night I tried downgrading software version from 15.5 to 15.2 to see if that helps. And it does not.

What I saw with debug radius command is that at first customers are authenticated and they get IP address from pool. There are acct-in/out-octets and acct-in/out-packets but all are "0" and immediately after that all of them are disconnected and no one can get Framed-IP anymore.

 

Here is debug ppp negotiation from last night:

PPP: Using vpn set call direction
PPP: Treating connection as a callin
PPP: Session handle[E50002DA] Session id[711]
LCP: Event[OPEN] State[Initial to Starting]
LCP: Enter passive mode, state[Stopped]
PPP: Phase is FORWARDING, Attempting Forward
PPP DISC: Lower Layer disconnected
PPP: Sending Acct Event[Down] id[1390]
PPP: NET STOP send to AAA.
CHAP: O FAILURE id 1 len 26 msg is "Authentication failure"
LCP: O TERMREQ [Open] id 2 len 4
LCP: Event[CLOSE] State[Open to Closing]
PPP: Phase is TERMINATING

Here is debug radius:

Jun 15 21:46:01.001: RADIUS(00006EE5): Received from id 1645/91
Jun 15 21:46:01.001: RADIUS(00006EC1): Sending a IPv4 Radius Packet
Jun 15 21:46:01.001: RADIUS(00006EC1): Send Accounting-Request to 10.0.101.20:1813 id 1646/179,len 441
Jun 15 21:46:01.001: RADIUS:  authenticator 21 9B 9F E9 DD 5F 2F AD - 4E 72 AF 73 84 62 E8 AB
Jun 15 21:46:01.001: RADIUS:  Acct-Session-Id     [44]  10  "00007619"
Jun 15 21:46:01.001: RADIUS:  Vendor, Cisco       [26]  53
Jun 15 21:46:01.001: RADIUS:   Cisco AVpair       [1]   47  "ppp-disconnect-cause=Lower Layer disconnected"
Jun 15 21:46:01.001: RADIUS:  User-Name           [1]   11  "username"
Jun 15 21:46:01.001: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
Jun 15 21:46:01.001: RADIUS:  Vendor, Cisco       [26]  34
Jun 15 21:46:01.001: RADIUS:   Cisco AVpair       [1]   28  "connect-progress=Auth Open"
Jun 15 21:46:01.001: RADIUS:  Vendor, Cisco       [26]  31
Jun 15 21:46:01.001: RADIUS:   Cisco AVpair       [1]   25  "nas-tx-speed=2000000000"
Jun 15 21:46:01.001: RADIUS:  Vendor, Cisco       [26]  31
Jun 15 21:46:01.001: RADIUS:   Cisco AVpair       [1]   25  "nas-rx-speed=2000000000"
Jun 15 21:46:01.001: RADIUS:  Acct-Session-Time   [46]  6   0
Jun 15 21:46:01.001: RADIUS:  Acct-Input-Octets   [42]  6   0
Jun 15 21:46:01.002: RADIUS:  Acct-Output-Octets  [43]  6   0
Jun 15 21:46:01.002: RADIUS:  Acct-Input-Packets  [47]  6   0
Jun 15 21:46:01.002: RADIUS:  Acct-Output-Packets [48]  6   0
Jun 15 21:46:01.002: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
Jun 15 21:46:01.002: RADIUS:  Vendor, Cisco       [26]  39
Jun 15 21:46:01.002: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=Local Admin Disc"
Jun 15 21:46:01.002: RADIUS:  Acct-Status-Type    [40]  6   7]  34  "ether 0/0/0:4096.207 0/0/0/0/0/0"
Jun 15 21:46:01.002: RADIUS:  Vendor, Cisco       [26]  41
Jun 15 21:46:01.002: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=fc75.1698.33b1"
Jun 15 21:46:01.002: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jun 15 21:46:01.002: RADIUS:  NAS-IP-Address      [4]   6   NASIP
Jun 15 21:46:01.002: RADIUS:  Acct-Delay-Time     [41]  6   0

Here is show aaa servers:

RADIUS: id 1, priority 1, host 10.0.101.20, auth-port 1812, acct-port 1813
     State: current UP, duration 776s, previous duration 0s
     Dead: total time 0s, count 1
     Quarantined: No
     Authen: request 15978, timeouts 164, failover 0, retransmission 137
             Response: accept 15813, reject 0, challenge 0
             Response: unexpected 14, server error 0, incorrect 0, time 121ms
             Transaction: success 15813, failure 27
             Throttled: transaction 0, timeout 0, failure 0
     Author: request 0, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Account: request 142, timeouts 29, failover 0, retransmission 29
             Request: start 1, interim 1, stop 111
             Response: start 1, interim 1, stop 111
             Response: unexpected 20, server error 0, incorrect 0, time 621ms
             Transaction: success 113, failure 0
             Throttled: transaction 0, timeout 0, failure 0
     Elapsed time since counters last cleared: 10h2m
     Estimated Outstanding Access Transactions: 1
     Estimated Outstanding Accounting Transactions: 0
     Estimated Throttled Access Transactions: 0
     Estimated Throttled Accounting Transactions: 0
     Maximum Throttled Transactions: access 0, accounting 0
     Requests per minute past 24 hours:
             high - 0 hours, 1 minutes ago: 1371
             low  - 10 hours, 2 minutes ago: 0
             average: 25

 

Also I'm attaching radius files. 

Highlighted

I don’t have an asr but can test it this weekend with a csr.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

I've managed to setup lab with freeradius 3.0.17 and I got it to work.

After that I've put ASR back into real working environment and investigate futher. In freeradius debug mode I saw that customer is allocated with lets say 192.168.100.125 IP address but in SQL radippool i see multiple IP address assigned to that customer and neither of that IPs are 192.168.100.125. Some customers had more than 10 IPs assigned but no one got actual IP from pool. Requests are being stopped because there was no IPs left in pool.

Highlighted

Hi

 

Tested with freeradius 3.0 and CSR1k.

I went with a quick and dirty config, just to test your Cisco config which looked ok.

Don't have any SQL linked with my freeradius.

 

I used a freeradius docker from scratch with no config and added the following.

On clients.conf

 

client MyRTR {
	ipaddr = 172.16.1.231
	secret = cisco123
	nastype = cisco
}

 

 

On Users file

 

testppp Auth-Type := CHAP, Cleartext-Password := "cisco123"
	User-Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-Address = 40.40.40.110

 

 

On my PPPoE server router, I put your exact config shared on your 1st post, with only the bba-group WDSL-Users.

 

On My PPPoE client, very quick and dirty config:

 

PPP-CLT(config-if)#do sh run int e0/0
Building configuration...

Current configuration : 104 bytes
!
interface Ethernet0/0
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
end

PPP-CLT(config-if)#do sh run int dialer 1
Building configuration...

Current configuration : 149 bytes
!
interface Dialer1
 mtu 1492
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 ppp chap hostname testppp
 ppp chap password 0 cisco123
end

 

 

Freeradius debug logs when Dialer 1 comes up from PPPoE Client:

 

 

START PPPOE CLIENT

(0) Received Access-Request Id 2 from 172.16.1.231:1645 to 10.100.99.156:1812 length 128
(0)   Framed-Protocol = PPP
(0)   User-Name = "testppp"
(0)   CHAP-Password = 0x0100c3ffeb2c283e309ffe206732000953
(0)   NAS-Port-Type = Virtual
(0)   NAS-Port = 0
(0)   NAS-Port-Id = "0/0/0/0"
(0)   Cisco-AVPair = "client-mac-address=aabb.cc00.0200"
(0)   Service-Type = Framed-User
(0)   NAS-IP-Address = 172.16.1.231
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) chap:   &control:Auth-Type := CHAP
(0)     [chap] = ok
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testppp", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry testppp at line 154
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: Auth-Type already set.  Not setting to PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "testppp" authenticated successfully
(0)     [chap] = ok
(0)   } # Auth-Type CHAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 2 from 10.100.99.156:1812 to 172.16.1.231:1645 length 0
(0)   User-Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   Framed-Address = 40.40.40.110
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Accounting-Request Id 4 from 172.16.1.231:1646 to 10.100.99.156:1813 length 178
(1)   Acct-Session-Id = "00000FA8"
(1)   Framed-Protocol = PPP
(1)   Framed-IP-Address = 40.40.40.110
(1)   User-Name = "testppp"
(1)   Cisco-AVPair = "connect-progress=LAN Ses Up"
(1)   Acct-Authentic = RADIUS
(1)   Acct-Status-Type = Start
(1)   NAS-Port-Type = Virtual
(1)   NAS-Port = 0
(1)   NAS-Port-Id = "0/0/0/0"
(1)   Cisco-AVPair = "client-mac-address=aabb.cc00.0200"
(1)   Service-Type = Framed-User
(1)   NAS-IP-Address = 172.16.1.231
(1)   Acct-Delay-Time = 0
(1) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(1)   preacct {
(1)     [preprocess] = ok
(1)     policy acct_unique {
(1)       update request {
(1)         &Tmp-String-9 := "ai:"
(1)       } # update request = noop
(1)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && 	    ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(1)       EXPAND %{hex:&Class}
(1)          -->
(1)       EXPAND ^%{hex:&Tmp-String-9}
(1)          --> ^61693a
(1)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && 	    ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(1)       else {
(1)         update request {
(1)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1)              --> 188a2b7c95f9e8d0271858acf3e9360f
(1)           &Acct-Unique-Session-Id := 188a2b7c95f9e8d0271858acf3e9360f
(1)         } # update request = noop
(1)       } # else = noop
(1)     } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testppp", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1)     [files] = noop
(1)   } # preacct = ok
(1) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(1)   accounting {
(1) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail:    --> /var/log/freeradius/radacct/172.16.1.231/detail-20200621
(1) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.1.231/detail-20200621
(1) detail: EXPAND %t
(1) detail:    --> Sun Jun 21 20:58:09 2020
(1)     [detail] = ok
(1)     [unix] = ok
(1)     [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response:    --> testppp
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1)     [attr_filter.accounting_response] = updated
(1)   } # accounting = updated
(1) Sent Accounting-Response Id 4 from 10.100.99.156:1813 to 172.16.1.231:1646 length 0
(1) Finished request
(1) Cleaning up request packet ID 4 with timestamp +35
Waking up in 4.7 seconds.

(0) Cleaning up request packet ID 2 with timestamp +35
Ready to process requests

 

 

And you can see, my client gets the IP I specified in my radius server and keeps it without being disconnected or whatsoever.

 

PPP-CLT#sh ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  administratively down down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Dialer1                    40.40.40.110    YES IPCP   up                    up
Virtual-Access1            unassigned      YES unset  up                    up
Virtual-Access2            unassigned      YES unset  up                    up
PPP-CLT#

 

 

 

My question to you is, do you went with radius and sql database installation or did you go with a software already packaging both like (daloRadius)?

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Hello.

 

I have Freeradius 2.1.12 in production with SQL. On that Radius ASR is not working well. As I mentioned, in LAB with Freeradius 3.x and SQL (same configuration as in production but new version of Freeradius) I managed to get it work without any problems. On production I can see in debug that clients are authenticated but does not get IP address (Radius is giving addresses without errors). In Radius debug in production I can see that IPs are framed but ASR does not give any to the clients and because of that all my IPs are framed (one client multiple IPs in database). Weird thing is that IPs in database that are given from radippool are not the same as the one I see in Radius debug. ASR debug radius log doesn't have any errors except when all IPs are given from radippool. I believe there is something wrong with some attribute that does not act well.

Highlighted

In your Cisco dictionary attribute list is this commented out?

#ATTRIBUTE Framed-Filter-Id 11 string
Highlighted

Attribute_Comment.jpg

 

Highlighted

Sorry I don't have this version in my lab and sure it is related on an attribute that isn't doing good on ASR, that's why I asked for ASR debugs. The only thing I saw wrong was Authentication failure.
Also you're doing that you got it working with freeradius v3.
First you have kind a mess up with your database as IP aren't matching between what's debt and what's filled in your table.
My question is, why not upgrading directly to v3 instead of keeping the old version?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Hello.

 

Yes, this attribute is commented as I did not need it. Could that be the reason for my problems?

 

I want to upgrade to 3.x version so bad but i have 4 more 7206VXR routers with 12 sw version in network and I don't know yet how will they act with new Freeradius. That is on me to test before upgrade-ing Freeradius.

 

I will test futher as soon as I install Freeradius 2.1.12 in LAB. After that I will test VXR's with v3 of Freeradius but if anyone have idea what is going on I will appreciate solution.

Highlighted

Hello.

 

I found the problem..

 

For every customer packet I have defined rate-limit which limits upload and download.

That is stored in one of my Views in database which I send to router via Freeradius SQL-wdsl.conf and the line that does that is:

authorize_group_reply_query = "SELECT id, groupname, attribute, \
          value, op \
          FROM wdsl.packet_rate_limit \
          WHERE groupname = '%{Sql-Group}' \
	  union all select '%{Sql-Group}' AS id, '%{Sql-Group}' AS groupname,'Filter-Id' AS attribute, '101.in' AS value,':=' AS op from wdsl.spamer WHERE username = '%{SQL-User-Name}' AND active = '1'\
	  union all select '%{Sql-Group}' AS id, '%{Sql-Group}' AS groupname, 'Filter-Id' AS attribute, '106.in' AS value, ':=' AS op FROM wdsl.users WHERE user = '%{SQL-User-Name}' AND (disabled = 'yes' OR active = '0')\
#	  union all select '%{Sql-Group}' AS id, '%{Sql-Group}' AS groupname, 'Filter-Id' AS attribute, '106.in' AS value, ':=' AS op FROM wdsl.users WHERE user = '%{SQL-User-Name}' AND disabled = 'yes'\
	ORDER BY id"

I'm sending:

Cisco-Avpair += lcp:interface-config#1=rate-limit output 1000000000 187500000 375000000 conform-action transmit exceed-action drop

Cisco-Avpair += lcp:interface-config#1=rate-limit input 1000000000 187500000 375000000 conform-action transmit exceed-action drop

 

But that is not valid attribute in ASR.

 

As I understand ASR have policy for that.

So if want to limit packet for customer to 10Mbps up/down this is right attirbute:

 

Cisco-AVPair += ip:sub-qos-policy-in=10Mbps-rate-limit
Cisco-AVPair += ip:sub-qos-policy-out=10Mbps-rate-limit

Is there workaround for ASR to accept old rate-limit?

Highlighted

Normally it should work if aaa network is configured using radius (which is your case) and the following command "aaa policy interface-config allow-subinterface". I don't see it on your config.
Can you add it and test it again?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Content for Community-Ad
Additional Cisco Threat Response Resources


August's Community Spotlight Awards