LNS to provide IP from Radius

connectone · ‎09-02-2012

Hello:

We currently use a 7301 router as an LNS and have it configured to use a local IP pool and dynamically assigns an IP address to connecting DSL modems. We would like to start providing a static IP to a username that autheticates to a radius server. I was wondering what the LNS config should have to support receiving an IP address from the radius and not using the local pool on the router. We want the LNS to take the IP address that radius would provide and send that to the dsl modem.

If anyone could help with what config items are needed to support this I would appreciate it. What we are seeing now is radius authenticates the user, sends the IP address in the FRAMED-IP but the LNS picks an IP address from the local pool and assigns it. Just wondering what we are missing here to make the 7301 assign the ip from radius.

Thank you.

aaa authentication ppp vpdn local group radius

aaa authorization network vpdn group radius local

aaa authorization configuration default group radius

aaa accounting delay-start

aaa accounting update periodic 5

aaa accounting network default

action-type start-stop

group radius

vpdn enable

!

vpdn-group NAME-HERE

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

lcp renegotiation always

l2tp tunnel password 7 XXXx

l2tp tunnel framing capabilities all

interface Virtual-Template1

mtu 1492

ip unnumbered Loopback0

no ip redirects

no ip unreachables

no ip proxy-arp

ip tcp adjust-mss 1392

timeout absolute 1440 0

peer default ip address pool dslpool

ppp mtu adaptive

ppp authentication pap vpdn

ppp timeout idle 597600

ip local pool dslpool x.x.x.x y.y.y.y

Andre Gustavo Albuquerque · ‎09-02-2012

Hello,

You don't need special configuration to accept configuration via RADIUS attributes.

The configuration you sent should be enough if the RADIUS is sending the right attributes.

You can check which attributes are being sent by the RADIUS server using some methods:

1) Use the command "test aaa group new-code"

example:

ASR2-213-LNS#test aaa gr vpdn uv46-1@vpn1001 cisco new-code

User successfully authenticated

USER ATTRIBUTES

service-type 0 2 [Framed]

Framed-Protocol 0 1 [PPP]

addr 0 172.21.0.1

routing 0 False

Framed-MTU 0 1492 (0x5D4)

noescape 0 True

autocmd 0 " ppp negotiate"

2) Use the commands "debug ppp nego" and "debug aaa radius"

The attribute returned by RADIUS has precedence over the virtual-template configuration.

HTH, Gustavo

connectone · ‎09-02-2012

Thank you for the suggestion. I added debug radius and this is what was returned. instead of the user getting the IP y.y.y.20 the next available IP in the DHCP local pool y.y.y.13 is assigned to the user instead.

Any other suggestions now that you are looking at ths output?

Tor1-LNS1#test aaa group radius username@domain.ca password2 new-code

User successfully authenticated

Sep 3 01:57:59.682: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

Sep 3 01:57:59.682: RADIUS/ENCODE(00000000):Orig. component type = INVALID

Sep 3 01:57:59.682: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Sep 3 01:57:59.682: RADIUS(00000000): Config NAS IP: x.x.x.x

Sep 3 01:57:59.682: RADIUS(00000000): sending

Sep 3 01:57:59.682: RADIUS(00000000): Send Access-Request to x.x.x.x:1812 id 1645/49, len 65

Sep 3 01:57:59.682: RADIUS: authenticator 7E 70 CF 47 95 E5 89 1A - C3 10 3E 3E 18 9F 3B D2

Sep 3 01:57:59.682: RADIUS: User-Password [2] 18 *

Sep 3 01:57:59.682: RADIUS: User-Name [1] 21 "username@domain.ca"

Sep 3 01:57:59.682: RADIUS: NAS-IP-Address [4] 6 y.y.y.y

Sep 3 01:57:59.710: RADIUS: Received from id 1645/49 x.x.x.x:1812, Access-Accept, len 68

Sep 3 01:57:59.710: RADIUS: authenticator AF CA 04 C3 A0 89 A5 69 - B7 33 6D A4 7E 56 B5 D9

Sep 3 01:57:59.710: RADIUS: Service-Type [6] 6

Tor1-LNS1#Framed [2]

Sep 3 01:57:59.710: RADIUS: Idle-Timeout [28] 6 86400

Sep 3 01:57:59.710: RADIUS: Framed-IP-Address [8] 6 y.y.y.y.20

Sep 3 01:57:59.710: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255

Sep 3 01:57:59.710: RADIUS: Framed-MTU [12] 6 1500

Sep 3 01:57:59.710: RADIUS: Message-Authenticato[80] 18

Sep 3 01:57:59.710: RADIUS: 81 C4 3A 66 96 11 D3 E6 CF AD AF D2 A5 84 08 CA [??:f????????????]

Sep 3 01:57:59.710: RADIUS(00000000): Received from id 1645/49

Andre Gustavo Albuquerque · ‎09-03-2012

Could you send the "debug ppp nego" output?

What is the software version?

Sent from Cisco Technical Support iPad App

Andre Gustavo Albuquerque · ‎09-03-2012

Not sure if this is causing the problem, but the aaa authentication command seems to be wrong.

aaa authentication ppp vpdn local group radius

aaa authorization network vpdn group radius local

If you want to have a fallback to local authentication, you should use the commands below instead:

aaa authentication ppp vpdn group radius local

aaa authorization network vpdn group radius local

Ideally, you should have only RADIUS:

aaa authentication ppp vpdn group radius

aaa authorization network vpdn group radius

HTH, Gustavo