Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9812
Views
15
Helpful
16
Replies

Cisco ASR1002 and Freeradius 2.1.12 problems

vkovac13
Level 1
Level 1

‎06-09-2020 01:41 AM

Hello.

 

ISP that I work in is using VXR7206 routers for PPPoE aggregation. 7206 are connected to Freeradius for AAA. I'm trying to add ASR1002 with IOS XE 3.16.10S (asr1000rp1-adventerprise - latest) and for 2 days now I can't get it work.

Here is my router configruation of ppp, aaa and radius:

 

aaa new-model
!
!
aaa group server radius RADIUS_SERVER
server name RADIUS
!
aaa authentication ppp Static_Users group RADIUS_SERVER
aaa authentication ppp WDSL_Users group RADIUS_SERVER
aaa authorization network RADIUS_SERVER group RADIUS_SERVER
aaa accounting send stop-record authentication failure
aaa accounting delay-start
aaa accounting update newinfo periodic 3
aaa accounting network RADIUS_SERVER start-stop group RADIUS_SERVER
aaa accounting connection RADIUS_SERVER start-stop group RADIUS_SERVER
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 1 0
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00 1440
!
!
!
!
!
!
!
!
!
!
!


ip name-server 46.229.247.40 1.1.1.1 46.229.247.41

!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bba-group pppoe WDSL-Users
virtual-template 1
nas-port-id format c
sessions per-mac limit 1
sessions auto cleanup
!
bba-group pppoe Static-Users
virtual-template 2
nas-port-id format c
sessions per-mac limit 1
sessions auto cleanup
!
!
!
interface Loopback0
description ***core-ck***
ip address "public ip" 255.255.255.255
!
interface Port-channel1
no ip address
negotiation auto
hold-queue 225 in
!
interface Port-channel1.67
description Static-Users
encapsulation dot1Q 67
pppoe enable group Static-Users
!
interface Port-channel1.207
description PPPoE-WDSL-Users
encapsulation dot1Q 207
pppoe enable group WDSL-Users
pppoe max-sessions 800
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
description WDSL-Users
mtu 1492
ip unnumbered Loopback0
timeout absolute 1440 0
no peer default ip address
ppp authentication chap WDSL_Users
ppp authorization RADIUS_SERVER
ppp accounting RADIUS_SERVER
!
interface Virtual-Template2
description Static-Users
mtu 1492
ip unnumbered Loopback0
no peer default ip address
ppp authentication chap Static_Users
ppp authorization RADIUS_SERVER
ppp accounting RADIUS_SERVER
!
radius-server attribute 4 "loopback ip"
radius-server attribute 31 mac format ietf
radius-server attribute 31 send nas-port-detail mac-only
!
radius server RADIUS
address ipv4 10.0.101.20 auth-port 1812 acct-port 1813
key ***hiden***

 

In Radius log I can see that users get "Login OK" and IP allocation, but few seconds later I'm getting errors: "IP Allocation FAILED" and "stop packet with zero session length".

 

When I issue show aaa sessions I can see all my customers but with IP Address: 0.0.0.0

Also when issue show subscriber session I'm getting this on photo. First and second command are issued in 2 seconds. No one is able to connect to PPPoE.

Untitled.jpg

 

 

 

 

It is hard to debug this because at same time more than 500 clients are trying to connect to PPPoE and debug log is passing by like crazy.

It looks like IP address can't be framed and users can't authenticate.

 

Help will be much appreciated.

Labels:
0 Helpful
16 Replies 16

vkovac13
Level 1
Level 1
In response to Francesco Molino

‎06-29-2020 12:35 AM

I've tested with mentioned command but still does not work. It accts the same as without this command. For test I've commented lines for rate-limit in my radius conf and it works. Only when sending lcp:interface-config#1rate-limit it does not work.

I'm afraid I would have to change my radius config and add new policy for rate-limit but I have 100 customer packet with 50 different bandwidth so I have to add many policy configs into ASR. That is very bad....

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to vkovac13

‎07-01-2020 07:04 PM

Using the command I gave was working on an ASR for one of my customer but as i don't have accy to it anymore I can't check the version.

For new implementation I'm doing the new model using policies.
I'm afraid too that you need to redo the config unless you open a tac case to validate with Cisco.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents