01-18-2019 08:10 AM - edited 03-01-2019 03:12 PM
Hi Team,
We are trying to test the configuration for ASR1k in our labs using the CSR demo VM. I’m not sure we have set AAA correctly, as we don’t see anything going out via radius. Not sure if we are missing something or doing something wrong.
CSR-BNG-01#show subscriber session
Codes: Lterm - Local Term, Fwd - forwarded, unauth - unathenticated, authen -
authenticated, TC Ct. - Number of Traffic Classes on the main session
Current Subscriber Information: Total sessions 2
Uniq ID Interface State Service Up-time TC Ct. Identifier
4 DHCPv4 unauthen Attempting 3d21h 0 b090.7ef1.14c8
3 DHCPv4 unauthen Attempting 3d21h 0 0004.5615.4e91
CSR-BNG-01#show radius statistics
Auth. Acct. Both
Maximum inQ length: NA NA 0
Maximum waitQ length: NA NA 0
Maximum doneQ length: NA NA 0
Total responses seen: 0 0 0
Packets with responses: 0 0 0
Packets without responses: 0 0 0
Access Rejects : 0
Average response delay(ms): 0 0 0
Maximum response delay(ms): 0 0 0
Number of Radius timeouts: 0 0 0
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 0 0 0
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/0
1646/0
Elapsed time since counters last cleared: 3d21h52m
Radius Latency Distribution:
<= 2ms : 0 0
3-5ms : 0 0
5-10ms : 0 0
10-20ms: 0 0
20-50ms: 0 0
50-100m: 0 0
>100ms : 0 0
Current inQ length : 0
Current doneQ length: 0
CSR-BNG-01#show run | sec aaa
aaa new-model
aaa group server radius SPLYNX
server name SPLYNX
server 10.0.254.101 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login IP_AUTHEN_LIST group SPLYNX
aaa authorization network default group SPLYNX
aaa authorization subscriber-service default group SPLYNX
aaa accounting network default start-stop group SPLYNX
aaa server radius dynamic-author
client 10.0.254.101 server-key 3af1851f92d8
server-key 3af1851f92d8
port 3799
auth-type any
ignore session-key
ignore server-key
aaa session-id common
interface GigabitEthernet2
ip address 10.90.0.1 255.255.224.0
ip helper-address 10.0.254.101
negotiation auto
no mop enabled
no mop sysid
ip subscriber l2-connected
initiator unclassified mac-address ipv4
initiator dhcp
end
01-29-2019 03:54 AM
Hi,
you are missing all related to "control policy-map". You have a lot of reading about. Take a look at Intelligent Services Gateway Configuration Guide. For your lab simulation I suggest you to use the Cisco IOS XE 16.6 version due to its "IPoE with Framed Route" feature support. Once you have your control policy-map you'll need to bind It under the subscribers aggregation interface like the following:
interface GigabitEthernet2 ip address 10.90.0.1 255.255.224.0 ip helper-address 10.0.254.101 negotiation auto no mop enabled no mop sysid service-policy type control YOUR_CONTROL_PM ip subscriber l2-connected initiator unclassified mac-address ipv4 initiator dhcp end
01-29-2019 07:01 AM - edited 01-29-2019 07:02 AM
Alberto,
It's clear that there is a lot of configuration steps that still need to be taken. I'm simply focusing on one issue, contacting the radius server.
For some reason the following radius configuration is not functioning:
aaa group server radius SPLYNX
server name SPLYNX
server 10.0.254.101 auth-port 1812 acct-port 1813
Once we configured radius with standard radius configuration, it worked:
radius-server host 10.0.254.101 auth-port 1812 acct-port 1813
radius-server key 123456
01-29-2019 07:32 AM - edited 01-29-2019 07:44 AM
Ok, following is a working configuration:
aaa group server radius AAA_GROUP_RADIUS server name RADIUS_SRV1 attribute nas-port format d ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 6 on-for-login-auth radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute nas-port format d radius-server attribute 31 send nas-port-detail mac-only radius-server dead-criteria tries 3 radius-server retransmit 5 radius-server deadtime 15 ! radius server RADIUS_SRV1 address ipv4 10.0.254.101 auth-port 1812 acct-port 1813 timeout 3 retransmit 5 key test.123
See if It can help you. ;-)
In your snippet code you have defined a radius group (SPLYNX) with inside one radius server named (SPLYNX), but this one is not defined anywhere. In the othe one inside (10.0.254.101) the secret key is missing. I think this is your problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide