ASR1000 - BNG/BRAS pppoe usernames with domains - AAA duplicates

MaPellegrini · ‎04-30-2020

Hi there,

I am using an ASR1006 RP2 IOS-XE 16.06.02 as a BNG for years with free RADIUS for AAA, I have been always using alphanumeric usernames (ex:user1234) and things have been working normally.

Recently we have acquired a group of users whose usernames' scheme is different, they all have domain names in their usernames (ex: user1234@domainA), problems started when we noticed that the RADIUS is receiving to access requests from the BNG for authentication the first one is normal (user1234@domainA/password) and the other one with the domain name only and with password "cisco" (domainA/cisco).

I don't know if I am missing something that should have been configured or the ASR1006 is just mis-behaving.

aaa group server radius dakotarslrgrp
 server name dakotarslrRADIUS
 ip radius source-interface Loopback0

radius server dakotarslrRADIUS
 address ipv4 10.10.20.1 auth-port 1812 acct-port 1813
 key 7 **************
	
aaa accounting network dakotarslr start-stop group dakotarslrgrp

aaa authorization network dakotarslr group dakotarslrgrp 

aaa authentication ppp dakotarslr group dakotarslrgrp

bba-group pppoe dakotarslr
 virtual-template 12
 sessions per-mac limit 1
 sessions per-vlan limit 100 inner 1
 sessions auto cleanup

interface Virtual-Template12
 ip unnumbered Loopback0
 ip access-group shield-in in
 ip access-group shield-out out
 no logging event link-status
 no peer default ip address
 keepalive 40
 ppp lcp delay 5
 ppp authentication pap dakotarslr
 ppp authorization dakotarslr
 ppp accounting dakotarslr
 ppp ipcp dns 8.8.8.8 8.8.8.4
 ppp ipcp address unique
 ppp timeout authentication 60
 service-policy input 2M-placeholder
 service-policy output 2M-placeholder

policy-map 2M-placeholder
 class class-default
  police 2048000 conform-action transmit  exceed-action drop

BNG debug:
Mar 22 15:13:15.930: RADIUS(39E3A495): Send Access-Request to 10.10.20.1:1812 id 1645/91, len 187
RADIUS:  authenticator CC 36 CD 90 1B 4A 69 F7 - 2A AF 6F 71 56 EE 2E 50
Mar 22 15:13:15.930: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Mar 22 15:13:15.930: RADIUS:  User-Name           [1]   18  "user1@domainA"
Mar 22 15:13:15.930: RADIUS:  User-Password       [2]   18  *
Mar 22 15:13:15.930: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Mar 22 15:13:15.930: RADIUS:  Vendor, Cisco       [26]  21  
Mar 22 15:13:15.930: RADIUS:   cisco-nas-port     [2]   15  "2/0/7/294.123"
Mar 22 15:13:15.930: RADIUS:  NAS-Port            [5]   6   655515771                 
Mar 22 15:13:15.930: RADIUS:  NAS-Port-Id         [87]  15  "2/0/7/294.123"
Mar 22 15:13:15.930: RADIUS:  Vendor, Cisco       [26]  41  
Mar 22 15:13:15.930: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=74da.3821.3d44"
Mar 22 15:13:15.930: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Mar 22 15:13:15.930: RADIUS:  NAS-IP-Address      [4]   6   5.1.1.2            
Mar 22 15:13:15.930: RADIUS:  Acct-Session-Id     [44]  24  "2/0/7/294.123_3A03ADF9"
Mar 22 15:13:15.930: RADIUS(39E3A495): Sending a IPv4 Radius Packet
Mar 22 15:13:15.930: RADIUS(39E3A495): Started 5 sec timeout
Mar 22 15:13:15.982: RADIUS: Received from id 1645/91 10.10.20.1:1812, Access-Accept, len 77
RADIUS:  authenticator 06 CF F8 00 54 D8 4A FC - 9A 6F 9D 0B FD 72 9B 3E
Mar 22 15:13:15.982: RADIUS:  Vendor, Cisco       [26]  51  
Mar 22 15:13:15.982: RADIUS:   Cisco AVpair       [1]   45  "ip:dns-servers=8.8.8.8 8.8.8.4"
Mar 22 15:13:15.982: RADIUS:  Framed-IP-Address   [8]   6   199.46.2.8             
Mar 22 15:13:15.982: RADIUS(39E3A495): Received from id 1645/91
Mar 22 15:13:17.980: RADIUS/ENCODE(39E3A4F5):Orig. component type = PPPoE
Mar 22 15:13:17.980: RADIUS: DSL line rate attributes successfully added
Mar 22 15:13:17.980: RADIUS(39E3A4F5): Config NAS IP: 217.139.253.19
Mar 22 15:13:17.980: RADIUS(39E3A4F5): Config NAS IPv6: ::
Mar 22 15:13:17.981: RADIUS/ENCODE(39E3A4F5): acct_session_id: 973319769
Mar 22 15:13:17.981: RADIUS/ENCODE(39E3A4F5): Acct-session-id pre-pended with Nas Port = 2/0/7/294.123
Mar 22 15:13:17.981: RADIUS(39E3A4F5): sending
Mar 22 15:13:17.981: RADIUS(39E3A4F5): Send Access-Request to 10.10.20.1:1812 id 1645/126, len 167
RADIUS:  authenticator 5E 1E 77 3D D5 8A 40 20 - 86 A2 6A 88 43 B9 CF 27
Mar 22 15:13:17.981: RADIUS:  User-Name           [1]   4   "domainA"
Mar 22 15:13:17.981: RADIUS:  User-Password       [2]   18  *
Mar 22 15:13:17.981: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Mar 22 15:13:17.981: RADIUS:  Vendor, Cisco       [26]  21  
Mar 22 15:13:17.981: RADIUS:   cisco-nas-port     [2]   15  "2/0/7/294.123"
Mar 22 15:13:17.981: RADIUS:  NAS-Port            [5]   6   655515771                 
Mar 22 15:13:17.981: RADIUS:  NAS-Port-Id         [87]  15  "2/0/7/294.123"
Mar 22 15:13:17.981: RADIUS:  Vendor, Cisco       [26]  41  
Mar 22 15:13:17.981: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=74da.3821.3d44"
Mar 22 15:13:17.981: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
Mar 22 15:13:17.981: RADIUS:  NAS-IP-Address      [4]   6   5.1.1.2            
Mar 22 15:13:17.981: RADIUS:  Acct-Session-Id     [44]  24  "2/0/7/294.123_3A03AE59"
Mar 22 15:13:17.981: RADIUS(39E3A4F5): Sending a IPv4 Radius Packet
Mar 22 15:13:17.981: RADIUS(39E3A4F5): Started 5 sec timeout
Mar 22 15:13:18.984: RADIUS: Received from id 1645/126 10.10.20.1:1812, Access-Reject, len 20


RADIUS log:



Tue Apr 28 15:01:25 2020 : Auth: (13224) Login OK: [user1@domainA/password] (from client asr1006-bng port 655515998)
Tue Apr 28 15:01:39 2020 : Auth: (13225) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [domainA/cisco] (from client asr1006-bng port 655515977)

Your help is much appreciated!

@Georg Pauwen

@paolo bevilacqua

BR,
MP