Re: ASR1K - LAC and LNS confgiuration with radius auth

Sultanov_Gafur · ‎10-20-2011

Hello to all

i have two ASR1K working as LAC and LNS, using following configuration

ASR_1, LAC:

vpdn enable

vpdn multihop

vpdn search-order domain

!

vpdn-group LAC

request-dialin

protocol l2tp

domain DOMAIN

initiate-to ip ASR_2 priority 1

local name LAC

no l2tp tunnel authentication

l2tp tunnel retransmit retries 6

!

policy-map type service TEST

service relay pppoe vpdn group LAC

pppoe service PPPoE

!

bba-group pppoe PPPoE

virtual-template 44

service profile TEST

sessions auto cleanup

!

interface Virtual-Template44

!

ASR_2, LNS:

vpdn enable

vpdn multihop

!

vpdn-group LNS

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname LAC

lcp renegotiation on-mismatch

no l2tp tunnel authentication

relay pppoe bba-group PPPoE

!

interface Virtual-Template1

description PPPoE

ip unnumbered Loopback0

peer default ip address pool client

ppp authentication pap chap

!

bba-group pppoe PPPoE

virtual-template 1

!

this configuration works just fine when i have aaa local, when i'm trying to use radius - i get error message at client side.

Configuration guides mention that i should make adjustment in radius conf with attributes.

My question is - can i left radius conf intact and make changes only at ASR side.

Manuel Rodriguez · ‎10-24-2011

Hello Sultanov,

Are you going to use Radius authentication in both, LAC and LNS? What's your AAA config in those devices? Could you please share the config of both devices? Also, what kind of error do you get on the client?

You may also want to collect some debugs on the devices. Some helpful debugs would be:

- debug aaa authentication

- debug aaa authorization

- debug radius

- debus vpdn l2x-events

- debus vpdn l2x-errors

- debus vpdn l2x-packet

- debug ppp negotiation

- debug ppp authentication

You could use those in both, LAC and LNS to try to investigate what is happening with the call.

Best regards.

Sultanov_Gafur · ‎10-25-2011

Hello, thank you for your reply,

after several testings i found next configuration for aaa:

aaa authentication ppp default local

aaa authorization network default local

!

aaa authentication ppp RADIUS_LIST group radius

aaa authorization network RADIUS_LIST group radius

aaa accounting network RADIUS_LIST start-stop group radius

!

aaa is happen in LNS, LAC should just make relay of PPPoE. With this configuration on LAC when pppoe client makes call, LAC just forward to LNS where actual aaa is happen.

Configuration stay the same as above and i add just mtu 1492 command to virtual-templates

Windows pppoe client get error, that remote modem doesn't answer.

And another addition to question:

I test this configuration on dynamips with vmware - everything works perfect, when i migrate working configuration to real routers - i get error.

Any suggestions?

Little update:

Real routers 3825 and 2811

debug errors show

PPPoE 11: Error adjusting nas port format did

PPPoE: Received an invalid sip_info

maybe this helps

Sultanov_Gafur · ‎10-27-2011

Ok, i've change IOS version - and everything start to work,

here is configuration for those who interest. The AAA is local and happens in LNS, but you can change it freely to Radius:

This is LNS, in my case LNS is ASR1K:

aaa new-model

aaa authentication login CON none

aaa authentication ppp default local

aaa authorization network default local

!

line con 0

login authentication CON

logging sync

!

vpdn enable

vpdn multihop

!

vpdn-group LNS

accept-dialin

protocol l2tp

virtual-template 3

terminate-from hostname LAC

lcp renegotiation on-mismatch

no l2tp tunnel authentication

relay pppoe bba-group PPPOE

!

interface Virtual-Template3

description PPPOE_ZAR

ip unnumbered Loopback0

peer default ip address pool CLIENT

ppp authentication pap chap

!

bba-group pppoe PPPOE

virtual-template 3

sessions auto cleanup

!

ip host LAC

!

ip local pool CLIENT

!

username USER pass PASS

And for the LAC i have two routers- 3825 with ios 12.4 and another ASR1K. Both of them work.

This is Cisco3825:

!

aaa new-model

aaa authentication login CON none

aaa authentication ppp default local

aaa authorization network default local

!

vpdn enable

vpdn multihop

!

vpdn-group LAC

request-dialin

protocol l2tp

initiate-to ip

source-ip

local name LAC

no l2tp tunnel authentication # you can switch to l2tp tunn pass 0 SOME_KEY, same configuration at LNS side.

!

bba-group pppoe PPPOE

virtual-template 3

service profile PROFILE-1

!

subscriber profile PROFILE-1

service relay pppoe vpdn group LAC

pppoe service PROFILE-1

!

int virtual-templ 3

!

This is ASR1K:

aaa new-model

aaa authentication login CON none

aaa authentication ppp default local

aaa authorization network default local

!

aaa authorization subscriber-service default local

!

service-policy type control PPPOE_FORWARD

!

vpdn enable

!

vpdn-group LAC

request-dialin

protocol l2tp

domain

initiate-to ip

source-ip

local name LAC

no l2tp tunn authen

!

class-map type control match-all PROTO_PPP

match protocol ppp

!

policy-map type service PPPOE_RELAY

service vpdn group LAC

!

policy-map type control PPPOE_FORWARD

class type control PROTO_PPP event session-start

1 service-policy type service name PPPOE_RELAY

!

bba-group pppoe PPPOE

virtual-template 3

!

int virtual-templ 3

!

have a nice day :-)

Manuel Rodriguez · ‎10-27-2011

Hi Sultanov,

Sorry I missed your previous inquire.

Good to hear that your setup is working now!

Regarding those errors you saw before changing IOS, I did a bit of research and it could have been a SW defect since I found a couple of SW defects showing those symptoms. In any case, it's good to hear that it's working now for you.

Have a nice day!