10-20-2011 04:53 AM - edited 03-01-2019 02:29 PM
Hello to all
i have two ASR1K working as LAC and LNS, using following configuration
ASR_1, LAC:
vpdn enable
vpdn multihop
vpdn search-order domain
!
vpdn-group LAC
request-dialin
protocol l2tp
domain DOMAIN
initiate-to ip ASR_2 priority 1
local name LAC
no l2tp tunnel authentication
l2tp tunnel retransmit retries 6
!
policy-map type service TEST
service relay pppoe vpdn group LAC
pppoe service PPPoE
!
!
bba-group pppoe PPPoE
virtual-template 44
service profile TEST
sessions auto cleanup
!
interface Virtual-Template44
!
ASR_2, LNS:
vpdn enable
vpdn multihop
!
vpdn-group LNS
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC
lcp renegotiation on-mismatch
no l2tp tunnel authentication
relay pppoe bba-group PPPoE
!
!
interface Virtual-Template1
description PPPoE
ip unnumbered Loopback0
peer default ip address pool client
ppp authentication pap chap
!
bba-group pppoe PPPoE
virtual-template 1
!
!
this configuration works just fine when i have aaa local, when i'm trying to use radius - i get error message at client side.
Configuration guides mention that i should make adjustment in radius conf with attributes.
My question is - can i left radius conf intact and make changes only at ASR side.
10-24-2011 01:02 AM
Hello Sultanov,
Are you going to use Radius authentication in both, LAC and LNS? What's your AAA config in those devices? Could you please share the config of both devices? Also, what kind of error do you get on the client?
You may also want to collect some debugs on the devices. Some helpful debugs would be:
- debug aaa authentication
- debug aaa authorization
- debug radius
- debus vpdn l2x-events
- debus vpdn l2x-errors
- debus vpdn l2x-packet
- debug ppp negotiation
- debug ppp authentication
You could use those in both, LAC and LNS to try to investigate what is happening with the call.
Best regards.
10-25-2011 05:07 AM
Hello, thank you for your reply,
after several testings i found next configuration for aaa:
aaa authentication ppp default local
aaa authorization network default local
!
aaa authentication ppp RADIUS_LIST group radius
aaa authorization network RADIUS_LIST group radius
aaa accounting network RADIUS_LIST start-stop group radius
!
aaa is happen in LNS, LAC should just make relay of PPPoE. With this configuration on LAC when pppoe client makes call, LAC just forward to LNS where actual aaa is happen.
Configuration stay the same as above and i add just mtu 1492 command to virtual-templates
Windows pppoe client get error, that remote modem doesn't answer.
And another addition to question:
I test this configuration on dynamips with vmware - everything works perfect, when i migrate working configuration to real routers - i get error.
Any suggestions?
Little update:
Real routers 3825 and 2811
debug errors show
PPPoE 11: Error adjusting nas port format did
PPPoE: Received an invalid sip_info
maybe this helps
10-27-2011 04:43 AM
Ok, i've change IOS version - and everything start to work,
here is configuration for those who interest. The AAA is local and happens in LNS, but you can change it freely to Radius:
This is LNS, in my case LNS is ASR1K:
aaa new-model
aaa authentication login CON none
aaa authentication ppp default local
aaa authorization network default local
!
line con 0
login authentication CON
logging sync
!
vpdn enable
vpdn multihop
!
vpdn-group LNS
accept-dialin
protocol l2tp
virtual-template 3
terminate-from hostname LAC
lcp renegotiation on-mismatch
no l2tp tunnel authentication
relay pppoe bba-group PPPOE
!
interface Virtual-Template3
description PPPOE_ZAR
ip unnumbered Loopback0
peer default ip address pool CLIENT
ppp authentication pap chap
!
bba-group pppoe PPPOE
virtual-template 3
sessions auto cleanup
!
ip host LAC
!
ip local pool CLIENT
!
username USER pass PASS
And for the LAC i have two routers- 3825 with ios 12.4 and another ASR1K. Both of them work.
This is Cisco3825:
!
aaa new-model
aaa authentication login CON none
aaa authentication ppp default local
aaa authorization network default local
!
vpdn enable
vpdn multihop
!
vpdn-group LAC
request-dialin
protocol l2tp
initiate-to ip
source-ip
local name LAC
no l2tp tunnel authentication # you can switch to l2tp tunn pass 0 SOME_KEY, same configuration at LNS side.
!
bba-group pppoe PPPOE
virtual-template 3
service profile PROFILE-1
!
subscriber profile PROFILE-1
service relay pppoe vpdn group LAC
pppoe service PROFILE-1
!
int virtual-templ 3
!
This is ASR1K:
aaa new-model
aaa authentication login CON none
aaa authentication ppp default local
aaa authorization network default local
!
aaa authorization subscriber-service default local
!
service-policy type control PPPOE_FORWARD
!
vpdn enable
!
vpdn-group LAC
request-dialin
protocol l2tp
domain
initiate-to ip
source-ip
local name LAC
no l2tp tunn authen
!
class-map type control match-all PROTO_PPP
match protocol ppp
!
policy-map type service PPPOE_RELAY
service vpdn group LAC
!
policy-map type control PPPOE_FORWARD
class type control PROTO_PPP event session-start
1 service-policy type service name PPPOE_RELAY
!
bba-group pppoe PPPOE
virtual-template 3
!
int virtual-templ 3
!
have a nice day :-)
10-27-2011 05:44 AM
Hi Sultanov,
Sorry I missed your previous inquire.
Good to hear that your setup is working now!
Regarding those errors you saw before changing IOS, I did a bit of research and it could have been a SW defect since I found a couple of SW defects showing those symptoms. In any case, it's good to hear that it's working now for you.
Have a nice day!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: