Virtual templates based Virtual Profies: Urgent

dinekal · ‎12-21-2002

Hello,

We have been facing authorization problem for PPP encapsulated leased line at our ISP node when enabled with Virtual Template based Virtual profiles .

As all our PPP encapsulated interfaces (Async/ISDN/PPP ENCAPSULTED LEASED LINE) by default refers Virtual profiles irrespective of interface type, our PPP ENCAPSULATED LEASED LINE fails in the LCP phase as it refers the Radius , i.e authorization failure.But we need virtual profiles to authorize the ISDN dialup clients.

Pls. let me know where this problem should be addressed, at Radius or in our Internet Access Node (Cisco 7206 router with AS5800 access server).

Here our configuration goes and pls. let me know any modification in the current configuration would help to get rid of this problem.

aaa new-model

aaa authentication ppp default group radius

aaa authorization network default group radius

aaa accounting network default start-stop group radius

!

virtual-profile virtual-template 1

!

Interface Virtual-template 1

ip unnumbered loopback 0

encapsulation ppp

ppp authetication pap

peer default ip address pool DIALPOOL

!

Interface Group Async

description ***** Async Dialup *****

ip unnumbered loopback 0

encap ppp

peer default ip address pool DIALPOOL

ppp authetication pap

!

Interface serial 1/0/11:15

encapsulation ppp

description **** ISDN PRI *****

ip unnumbered loopback 0

encap ppp

peer default ip address pool DIALPOOL

ppp authetication pap

!

Interface serial 1/0/9:0

description **** NON_CISCO PPP LEASED LINE ***

ip unnunbered loopback 0

encapsulation ppp

tepatel · ‎12-21-2002

The config looks fine..But does AAA introduced any user specific attributes for authorization? If it is then it will not work.

Here is the url which explains Virtual Profiles Configured by Virtual Templates Example

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/dial_c/dcprt7/dcvprof.htm#18382

Now Here is the user for diffrent possible config using virtual-template. It will clear all your doubts

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/dial_c/dcprt7/dcvprof.htm

dinekal · ‎12-22-2002

Thanks. Already I've been through the URLs. As we are unaware of radius part which is maintained by different department, so can you pls. go through the following details and suggest us to get rid of the problem.

NAS port entries are scripted at the our Merit Radius, i.e sucessful authetication is possible if and only if

1. Async NAS Range is from 3888 to 4031

2. ISDN call should land at 1/0/11 AS5800 Ingress controller

So I guess PORT SPECIFIC ATTRIBUTES are existing; that in turn of authorization failure.

Now,could you say whether this could be addressed by configuration MODIFICATION at the router or Radius should do that.

Morover, for your kind information here the PPP leaseline "debug ppp negotiation" outputs for the interace serial 1/0/9:0

***********************************************************************************

KRU-AS01#sh debugging con

KRU-AS01#sh debugging condition

Condition 1: interface Se1/0/9:0 (1 flags triggered)

Flags: Se1/0/9:0

KRU-AS01#sh deb

KRU-AS01#sh debugging

PPP:

PPP protocol negotiation debugging is on

KRU-AS01#

KRU-AS01(config)#interface serial 1/0/9:0

KRU-AS01(config-if)#shtdown

KRU-AS01(config-if)#no sh

KRU-AS01(config-if)#no shutdown

KRU-AS01(config-if)#^Z

KRU-AS01#

18:27:39: Se1/0/9:0 PPP: Treating connection as a dedicated line

18:27:39: Se1/0/9:0 PPP: Phase is ESTABLISHING, Active Open [0 sess, 1 load]

18:27:39: Se1/0/9:0 LCP: O CONFREQ [Closed] id 133 len 10

18:27:39: Se1/0/9:0 LCP: MagicNumber 0xB4B8F38C (0x0506B4B8F38C)

18:27:39: Se1/0/9:0 LCP: I CONFREQ [REQsent] id 21 len 10

18:27:39: Se1/0/9:0 LCP: MagicNumber 0xB4B3CC7B (0x0506B4B3CC7B)

18:27:39: Se1/0/9:0 LCP: O CONFACK [REQsent] id 21 len 10

18:27:39: Se1/0/9:0 LCP: MagicNumber 0xB4B3CC7B (0x0506B4B3CC7B)

18:27:39: Se1/0/9:0 LCP: I CONFACK [ACKsent] id 133 len 10

18:27:39: Se1/0/9:0 LCP: MagicNumber 0xB4B8F38C (0x0506B4B8F38C)

18:27:39: Se1/0/9:0 LCP: State is Open

18:27:39: Se1/0/9:0 AAA/AUTHOR/LCP: Denied

18:27:39: Se1/0/9:0 PPP: Phase is TERMINATING [0 sess, 1 load]

18:27:39: Se1/0/9:0 LCP: O TERMREQ [Open] id 134 len 4

18:27:39: Se1/0/9:0 PPP: Phase is FORWARDED [0 sess, 1 load]

18:27:39: Se1/0/9:0 IPCP: LCP not open, discarding packet

18:27:39: Se1/0/9:0 CDPCP: LCP not open, discarding packet

18:27:39: Se1/0/9:0 LCP: I TERMACK [TERMsent] id 134 len 4

18:27:39: Se1/0/9:0 LCP: State is Closed

18:27:39: Se1/0/9:0 PPP: Phase is DOWN [0 sess, 2 load]

18:27:39: Se1/0/9:0 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 2 load]

18:27:39: Se1/0/9:0 LCP: State is Listen

18:27:41: Se1/0/9:0 LCP: TIMEout: State Listen

18:27:41: Se1/0/9:0 LCP: O CONFREQ [Listen] id 135 len 10

18:27:41: Se1/0/9:0 LCP: MagicNumber 0xB4B8FB87 (0x0506B4B8FB87)

18:27:41: Se1/0/9:0 LCP: I CONFREQ [REQsent] id 22 len 10

18:27:41: Se1/0/9:0 LCP: MagicNumber 0xB4B3D475 (0x0506B4B3D475)

18:27:41: Se1/0/9:0 LCP: O CONFACK [REQsent] id 22 len 10

18:27:41: Se1/0/9:0 LCP: MagicNumber 0xB4B3D475 (0x0506B4B3D475)

18:27:41: Se1/0/9:0 LCP: I CONFACK [ACKsent] id 135 len 10

18:27:41: Se1/0/9:0 LCP: MagicNumber 0xB4B8FB87 (0x0506B4B8FB87)

18:27:41: Se1/0/9:0 LCP: State is Open

18:27:41: Se1/0/9:0 AAA/AUTHOR/LCP: Denied

18:27:41: Se1/0/9:0 PPP: Phase is TERMINATING [0 sess, 1 load]

18:27:41: Se1/0/9:0 LCP: O TERMREQ [Open] id 136 len 4

18:27:41: Se1/0/9:0 PPP: Phase is FORWARDED [0 sess, 1 load]

18:27:41: Se1/0/9:0 IPCP: LCP not open, discarding packet

18:27:41: Se1/0/9:0 CDPCP: LCP not open, discarding packet

18:27:41: Se1/0/9:0 LCP: I TERMACK [TERMsent] id 136 len 4

18:27:41: Se1/0/9:0 LCP: State is Closed

18:27:41: Se1/0/9:0 PPP: Phase is DOWN [0 sess, 2 load]

4brown · ‎12-23-2002

Try turning off authorization on the serial line:

aaa authorization network NO_AUTHOR none

int se1/0/9

ppp author NO_AUTHOR

If that doesn't work, create a different loopback int for ip unnumbered and assign to the serial int.

dinekal · ‎12-26-2002

Thanks.This option we tried earlier, but failed. Now in our configuration the following are inevitable.

!

virtual-profile virtual-template 1

!

Virtual-Template 1

ip unnumbered loopback 0

encap ppp

peer default ip address pool DIALPOOL

ppp authentiation pap

i

Interface serrial 1/0/11:15

encap ppp

ppp authetication pap

ppp multilink

!

Virtual-Profile Virtual-Template 1 is inevitable for authentication of ISDN peers.The mind blowing event is irrespective of interface type i.e. including PPP encapsulated LEASED LINE interfaces refers VIRTUAL PROFILE and fails in LCP/NCP negotiation phase.

Do you suggest AAA based virtual profiles rather than virtual template based virtual profiles. Otherwise is there any work around solution to support both our ISDN peers and PPP encapsulated leased line clients.

If we remove virtual profiles, we are succesful. But it is not possible as we have ISDN peers.

You can also view the "debug ppp negotiation" from our LEASED LINE client end and how it fails in LCP/NCP phase.

*************************************************************************************

PPPTest#conf t

Enter configuration commands, one per line. End with CNTL/Z.

PPPTest(config)#interface serial 0/4/0:0

PPPTest(config-if)#no sh

PPPTest(config-if)#no shutdown

PPPTest(config-if)#

4d20h: Se0/4/0:0 LCP: I CONFREQ [Closed] id 171 len 10

4d20h: Se0/4/0:0 LCP: MagicNumber 0xC9E09D3F (0x0506C9E09D3F)

4d20h: Se0/4/0:0 LCP: Lower layer not up, Fast Starting

4d20h: Se0/4/0:0 PPP: Treating connection as a dedicated line

4d20h: Se0/4/0:0 PPP: Phase is ESTABLISHING, Active Open

4d20h: Se0/4/0:0 LCP: O CONFREQ [Closed] id 233 len 10

4d20h: Se0/4/0:0 LCP: MagicNumber 0xC9DA88D3 (0x0506C9DA88D3)

4d20h: Se0/4/0:0 LCP: O CONFACK [REQsent] id 171 len 10

4d20h: Se0/4/0:0 LCP: MagicNumber 0xC9E09D3F (0x0506C9E09D3F)

4d20h: Se0/4/0:0 LCP: I CONFACK [ACKsent] id 233 len 10

4d20h: Se0/4/0:0 LCP: MagicNumber 0xC9DA88D3 (0x0506C9DA88D3)^Z

PPPTest#

4d20h: Se0/4/0:0 LCP: State is Open

4d20h: Se0/4/0:0 PPP: Phase is UP

4d20h: Se0/4/0:0 IPCP: O CONFREQ [Closed] id 45 len 10

4d20h: Se0/4/0:0 IPCP: Address 61.1.223.177 (0x03063D01DFB1)

4d20h: Se0/4/0:0 CDPCP: O CONFREQ [Closed] id 201 len 4

4d20h: Se0/4/0:0 LCP: I PROTREJ [Open] id 1 len 10 protocol CDPCP (0x820701C9000

4)

4d20h: Se0/4/0:0 CDPCP: State is Closed

4d20h: Se0/4/0:0 PPP: Outbound cdp packet dropped, CDPCP is Closed [starting neg

otiations]

4d20h: Se0/4/0:0 CDPCP: State is Closed

4d20h: Se0/4/0:0 CDPCP: TIMEout: State Closed

4d20h: Se0/4/0:0 CDPCP: State is Listen