Re: IPoE Radius ASR1k

jorgenolla · ‎01-18-2019

Hi Team,

We are trying to test the configuration for ASR1k in our labs using the CSR demo VM. I’m not sure we have set AAA correctly, as we don’t see anything going out via radius. Not sure if we are missing something or doing something wrong.

CSR-BNG-01#show subscriber session

Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -

authenticated, TC Ct. - Number of Traffic Classes on the main session

Current Subscriber Information: Total sessions 2

Uniq ID Interface State Service Up-time TC Ct. Identifier

4 DHCPv4 unauthen Attempting 3d21h 0 b090.7ef1.14c8

3 DHCPv4 unauthen Attempting 3d21h 0 0004.5615.4e91

CSR-BNG-01#show radius statistics

Auth. Acct. Both

Maximum inQ length: NA NA 0

Maximum waitQ length: NA NA 0

Maximum doneQ length: NA NA 0

Total responses seen: 0 0 0

Packets with responses: 0 0 0

Packets without responses: 0 0 0

Access Rejects : 0

Average response delay(ms): 0 0 0

Maximum response delay(ms): 0 0 0

Number of Radius timeouts: 0 0 0

Duplicate ID detects: 0 0 0

Buffer Allocation Failures: 0 0 0

Maximum Buffer Size (bytes): 0 0 0

Malformed Responses : 0 0 0

Bad Authenticators : 0 0 0

Unknown Responses : 0 0 0

Source Port Range: (2 ports only)

1645 - 1646

Last used Source Port/Identifier:

1645/0

1646/0

Elapsed time since counters last cleared: 3d21h52m

Radius Latency Distribution:

<= 2ms : 0 0

3-5ms : 0 0

5-10ms : 0 0

10-20ms: 0 0

20-50ms: 0 0

50-100m: 0 0

>100ms : 0 0

Current inQ length : 0

Current doneQ length: 0

CSR-BNG-01#show run | sec aaa

aaa new-model

aaa group server radius SPLYNX

server name SPLYNX

server 10.0.254.101 auth-port 1812 acct-port 1813

aaa authentication login default local

aaa authentication login IP_AUTHEN_LIST group SPLYNX

aaa authorization network default group SPLYNX

aaa authorization subscriber-service default group SPLYNX

aaa accounting network default start-stop group SPLYNX

aaa server radius dynamic-author

client 10.0.254.101 server-key 3af1851f92d8

server-key 3af1851f92d8

port 3799

auth-type any

ignore session-key

ignore server-key

aaa session-id common

interface GigabitEthernet2

ip address 10.90.0.1 255.255.224.0

ip helper-address 10.0.254.101

negotiation auto

no mop enabled

no mop sysid

ip subscriber l2-connected

initiator unclassified mac-address ipv4

initiator dhcp

end

Alberto Romano · ‎01-29-2019

Hi,

you are missing all related to "control policy-map". You have a lot of reading about. Take a look at Intelligent Services Gateway Configuration Guide. For your lab simulation I suggest you to use the Cisco IOS XE 16.6 version due to its "IPoE with Framed Route" feature support. Once you have your control policy-map you'll need to bind It under the subscribers aggregation interface like the following:

interface GigabitEthernet2
 ip address 10.90.0.1 255.255.224.0
 ip helper-address 10.0.254.101
 negotiation auto
 no mop enabled
 no mop sysid
 service-policy type control YOUR_CONTROL_PM
 ip subscriber l2-connected
  initiator unclassified mac-address ipv4
  initiator dhcp
end

jorgenolla · ‎01-29-2019

Alberto,

It's clear that there is a lot of configuration steps that still need to be taken. I'm simply focusing on one issue, contacting the radius server.

For some reason the following radius configuration is not functioning:

aaa group server radius SPLYNX

server name SPLYNX

server 10.0.254.101 auth-port 1812 acct-port 1813

Once we configured radius with standard radius configuration, it worked:

radius-server host 10.0.254.101 auth-port 1812 acct-port 1813
radius-server key 123456

Alberto Romano · ‎01-29-2019

Ok, following is a working configuration:

aaa group server radius AAA_GROUP_RADIUS
 server name RADIUS_SRV1
 attribute nas-port format d
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute nas-port format d
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria tries 3
radius-server retransmit 5
radius-server deadtime 15
!
radius server RADIUS_SRV1
 address ipv4 10.0.254.101 auth-port 1812 acct-port 1813
 timeout 3
 retransmit 5
 key test.123

See if It can help you. ;-)

In your snippet code you have defined a radius group (SPLYNX) with inside one radius server named (SPLYNX), but this one is not defined anywhere. In the othe one inside (10.0.254.101) the secret key is missing. I think this is your problem.