10-15-2012 05:14 AM
I have this annoying problem I am struggling to solve. I am trying to put individual users into unique VRF. So I have setup this radius detail:
nicholas Cleartext-Password := "nicholas"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.16.3.33,
Framed-IP-Netmask = 255.255.255.255,
Cisco-AVPair += "lcp:interface-config#1=ip vrf forwarding vpn1",
Cisco-AVPair = "lcp:interface-config#2=ip unnumbered loopback5"
I have also used:
cisco-avpair="ip:vrf-id=vpn1",
cisco-avpair="ip:ip-unnumbered=lo5"
The PPP client gets the correct IP address, and it picks up the loopback route in the correct VRF. However the virtual-access interface does not appear in the VRF and stays in the global routing table. So its half-in half-out Any ideas?
My LNS is a 7201 running C7200-SPSERVICESK9-M), Version 12.4(22)T
Config on PPP server:
interface Virtual-Template2
ip unnumbered loopback 5
ip mtu 1492
no ip route-cache cef
no peer default ip address
ppp mru match
ppp authentication pap chap
ip vrf vpn1
rd 65001:1
route-target export 1:1
route-target import 1:1
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius local
aaa accounting exec default
action-type start-stop
group radius
aaa accounting system default
action-type start-stop
group radius
interface Loopback5
ip vrf forwarding vpn1
ip address 172.16.4.1 255.255.255.255
!
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
LNS#show ip route vrf vpn1
Routing Table: vpn1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/32 is subnetted, 1 subnets
C 172.16.4.1 is directly connected, Loopback5
192.168.254.0/32 is subnetted, 1 subnets
B 192.168.254.254 [200/0] via 10.0.0.2, 06:54:54
192.168.1.0/30 is subnetted, 1 subnets
B 192.168.1.0 [200/0] via 10.0.0.1, 05:13:40
Client:
pppoeclient#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.16.0.0/32 is subnetted, 2 subnets
C 172.16.3.33 is directly connected, Dialer1
C 172.16.4.1 is directly connected, Dialer1
S* 0.0.0.0/0 is directly connected, Dialer1
Any suggestions greatly appreciated
10-15-2012 10:21 AM
I found this debug which hints at the error - I wish I could find the debug which says "THIS IS THE PROBLEM" lol
LNS#debug vtemplate event
Virtual Template events debugging is on
LNS#
*Oct 15 18:17:28.067: VT:Sending vaccess request, id 0x4600008B
*Oct 15 18:17:28.075: VT:Processing vaccess requests, 1 outstanding
*Oct 15 18:17:28.079: VT:Create and clone interface, Vt2
*Oct 15 18:17:28.083: VT[Vi3]:Reuse interface, recycle queue size 1
*Oct 15 18:17:28.087: VT[Vi3]:Cloning a recycled vaccess
*Oct 15 18:17:28.207: VT[Vi3]:Processing vaccess response, id 0x4600008B, result success (1)
*Oct 15 18:17:28.227: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Oct 15 18:17:28.263: VT:Sending vaccess request, id 0xAF00005F
*Oct 15 18:17:28.267: VT:Processing vaccess requests, 1 outstanding
*Oct 15 18:17:28.491: VT[Vi3]:Processing vaccess response, id 0xAF00005F, result clone error (4)
*Oct 15 18:17:28.543: VT[Vi3]:Processing request to free vaccess
*Oct 15 18:17:28.547: VT[Vi3]:Waiting for the free request to finish
*Oct 15 18:17:28.551: VT[Vi3]:Vaccess free request complete, reference id 47
*Oct 15 18:17:28.563: %LINK-3-UPDOWN: Interface Virt
LNS#ual-Access3, changed state to down
*Oct 15 18:17:28.567: VT[Vi3]:Interface and line protocol are down, proceed to free
*Oct 15 18:17:28.579: VT:Clean up dirty vaccess queue, size 1
*Oct 15 18:17:28.583: VT[Vi3]:Found a dirty vaccess cloned from vtemplate/AAA
*Oct 15 18:17:28.583: VT[Vi3]:Unclone vaccess, 2 command(s) to be removed
*Oct 15 18:17:28.699: VT:Found a AAA buf for AAA clone blk.
*Oct 15 18:17:28.703: VT[Vi3]:Unclone vaccess, 3 command(s) to be removed
*Oct 15 18:17:28.791: VT[Vi3]:Hardware address ca00.6390.0008
*Oct 15 18:17:28.799: VT[Vi3]:Add vaccess to recycle queue, queue size 1
10-15-2012 10:25 AM
I found another - not sure what exactly is happening here
LNS#debug vtemplate cloning
Virtual Template cloning debugging is on
LNS#
*Oct 15 18:22:02.375: VT[Vi3]:Cloning a recycled vaccess
*Oct 15 18:22:02.379: VT[Vi3]:Added new vtemplate cloneblk, now cloning from vtemplate
*Oct 15 18:22:02.383: VT[Vi3]:Clone Vaccess from Virtual-Template2 (53 bytes)
*Oct 15 18:22:02.387: VT[Vi3]:no ip address
*Oct 15 18:22:02.387: VT[Vi3]:ip mtu 1492
*Oct 15 18:22:02.391: VT[Vi3]:no ip route-cache cef
*Oct 15 18:22:02.391: VT[Vi3]:end
*Oct 15 18:22:02.395: VT[Vi3]:Applying config commands on process "VTEMPLATE Background Mgr" (217)
*Oct 15 18:22:02.395: VT[Vi3]:no ip address
*Oct 15 18:22:02.399: VT[Vi3]:ip mtu 1492
*Oct 15 18:22:02.399: VT[Vi3]:no ip route-cache cef
*Oct 15 18:22:02.403: VT[Vi3]:end
*Oct 15 18:22:02.511: VT[Vi3]:MTUs ip 1492, sub 1500, max 1500, default 1500
*Oct 15 18:22:02.531: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
LNS#
*Oct 15 18:22:02.575: VT[Vi3]:Added new AAA cloneblk, now cloning from vtemplate/AAA
*Oct 15 18:22:02.579: VT[Vi3]:Clone Vaccess from AAA (56 bytes)
*Oct 15 18:22:02.579: VT[Vi3]:ip vrf forwarding vpn1
*Oct 15 18:22:02.583: VT[Vi3]:ip ip unnumbered Loopback 5
*Oct 15 18:22:02.583: VT[Vi3]:end
*Oct 15 18:22:02.587: VT[Vi3]:Applying config commands on process "VTEMPLATE Background Mgr" (217)
*Oct 15 18:22:02.591: VT[Vi3]:ip vrf forwarding vpn1
*Oct 15 18:22:02.591: VT[Vi3]:ip ip unnumbered Loopback 5
*Oct 15 18:22:02.595: VT[Vi3]:end
*Oct 15 18:22:02.855: VT[Vi3]:MTUs ip 1492, sub 1492, max 1492, default 1492
*Oct 15 18:22:02.927: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Oct 15 18:22:02.943: VT[Vi3]:Unclone vaccess, 2 command(s) to be removed
*Oct 15 18:22:02.947: VT[Vi3]:default ip ip unnumbered Loopback 5
*Oct 15 18:22:02.947: VT[Vi3]:default ip vrf forwarding vpn1
*Oct 15 18:22:02.951: VT[Vi3]:end
*Oct 15 18:22:02.955: VT[Vi3]:Applying config
LNS# commands on process "VTEMPLATE Background Mgr" (217)
*Oct 15 18:22:02.955: VT[Vi3]:default ip ip unnumbered Loopback 5
*Oct 15 18:22:02.959: VT[Vi3]:default ip vrf forwarding vpn1
*Oct 15 18:22:02.959: VT[Vi3]:end
*Oct 15 18:22:03.095: VT[Vi3]:Remove cloneblk AAA from vaccess with vtemplate/AAA
*Oct 15 18:22:03.099: VT[Vi3]:Unclone vaccess, 3 command(s) to be removed
*Oct 15 18:22:03.099: VT[Vi3]:default ip route-cache cef
*Oct 15 18:22:03.103: VT[Vi3]:default ip mtu 1492
*Oct 15 18:22:03.103: VT[Vi3]:default ip address
*Oct 15 18:22:03.107: VT[Vi3]:end
*Oct 15 18:22:03.111: VT[Vi3]:Applying config commands on process "VTEMPLATE Background Mgr" (217)
*Oct 15 18:22:03.111: VT[Vi3]:default ip route-cache cef
*Oct 15 18:22:03.115: VT[Vi3]:default ip mtu 1492
*Oct 15 18:22:03.115: VT[Vi3]:default ip address
*Oct 15 18:22:03.119: VT[Vi3]:end
*Oct 15 18:22:03.263: VT[Vi3]:Remove cloneblk vtemplate from vaccess with vtemplate
LNS#u all
10-15-2012 01:23 PM
Solved. After a lot more debug and cross-referencing I came to the conclusion the router was simply ignoring the avpairs. A little more research led me to this commands:
radius-server vsa send authentication
http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdrad.html#wp1001063
It would seem my NAS needs to think the ciscoav is vendor specific attribute, bit confused by that however possibly it would indicate some sort of syntax problem, though wireshark capture would indicate not. Oh well it works now!
LNS#show ip route vrf vpn1
Routing Table: vpn1
Gateway of last resort is not set
172.16.0.0/32 is subnetted, 2 subnets
C 172.16.3.33 is directly connected, Virtual-Access3
C 172.16.6.1 is directly connected, Loopback5
192.168.254.0/32 is subnetted, 1 subnets
B 192.168.254.254 [200/0] via 10.0.0.2, 01:39:08
192.168.1.0/30 is subnetted, 1 subnets
B 192.168.1.0 [200/0] via 10.0.0.1, 01:39:08
10-15-2012 01:55 PM
How to close discussion I solved myself....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide