Hi!

I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.

The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).

Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:

--> Config Begins <---

aaa new-model

!

!

aa group server radius radius-auth

server x.x.4.23 auth-port 1645 acct-port 1646

server x.x.7.139 auth-port 1645 acct-port 1646

!

aaa authentication login default group radius-auth local

aaa authentication enable default group radius-auth enable

...

radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>

radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>

...

ip radius source-interface <outside-if> vrf 10

---> Config Ends <---

The VRF-Lite instance is configured like this:

---> Config Begins <---

ip vrf 10

rd 65001:10

---> Config Ends <---

Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.

I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.