cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1272
Views
0
Helpful
1
Replies

ASR1001 BNG

Ei Ei Tun
Level 1
Level 1

Hello Experts !

 

We are trying to set up ASR1001(IOS XE 16.8.x) as BNG and DMA(ver 4.2) as radius sever .

PPPOE with chap is used . So far , authentication between BNG and DMA is OK.

We are facing main problem with Authorization. We have trouble shoot a lot to get authorization successfully.We have contacted DMA support and they mentioned issue is at Cisco side.

lpttached is our setting and config.Help Please .

 

ASR1001 Config

aaa authentication login default local

aaa authentication ppp PPPOE group RAD local

aaa authorization network PPPOE group RAD local

aaa accounting send stop-record authentication failure

aaa accounting delay-start all

aaa accounting update periodic 5

aaa accounting network PPPOE start-stop group RAD

aaa session-id common

 

interface Virtual-Template11

 description VT-YAP-T1

 vrf forwarding INSIDE

 ip unnumbered Loopback11

 peer default ip address dhcp-pool PPPOE

 ppp mtu adaptive

 ppp authentication pap chap PPPOE

 ppp authorization PPPOE

 

 ppp accounting PPPOE

 

 

bba-group pppoe BBA

 virtual-template 11

 sessions per-mac limit 10

 sessions per-vlan limit 2048

 sessions auto cleanup

 

interface Loopback11

 

 vrf forwarding INSIDE

 ip address 172.18.0.1 255.255.240.0

 ip ospf network point-to-point

 ip ospf 1 area 0

 

 

interface GigabitEthernet0/0/3.6

 encapsulation dot1Q 6

 vrf forwarding INSIDE

 pppoe enable group BBA

 

radius server DMA

 address ipv4 172.20.0.12 auth-port 1812 acct-port 1813

 key CISCO

 

aaa group server radius RAD

 server name DMA

 server 172.17.0.12 auth-port 1812 acct-port 1813

 ip vrf forwarding INSIDE

 

ip radius source-interface Loopback1 vrf INSIDE

 

ip dhcp pool PPPOE

 vrf INSIDE

 network 172.18.0.0 255.255.240.0

 default-router 172.18.0.1

 dns-server 10.10.10.10

1 Reply 1

aelganzo
Cisco Employee
Cisco Employee

 

In order to have authorization working it need to enable dynamic authorization this to accept COA from AAA  as below 

"

aaa server radius dynamic-author
client x.x.x.x                 // AAA IP 
server-key aaacisco
ignore session-key
ignore server-key
!

"

Hope this is what you are looking for. 

BR

AbdelGalil