IOS XR BNG Authentication failed

anas.abdullkarim · ‎06-20-2022

hello, I have router A9K IOS XR 6.6.3, which is configured as BNG PPPoE, and connected to the radius server for Authentication,

the client is connected normally, and the router working fine, but after BNG reaches 987 sessions, any new client tries to connect, but he gets failed Authentication, I check the radius server, and the radius is accepted auth and sends a message to the router, but the router rejects this session?

radius-server host 94.231.199.99 auth-port 1812 acct-port 1813
 key 7 080362692F2D31
!

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa radius attribute calling-station-id format MAC_RADIUS
aaa accounting subscriber default group radius
aaa authorization subscriber default group radius
aaa authentication subscriber default group radius
subscriber

pppoe bba-group PPPOE-BBA
 mtu 1508
 tag ppp-max-payload minimum 1500 maximum 1508
 service selection disable
 pado delay 0
 timeout completion 30
!

aaa server radius dynamic-author
 port 1700
 client 94.231.199.99 vrf default
  server-key 7 106C273E232326
 !
!

policy-map type control subscriber PPPOE_DEFAULT
 event session-start match-first
  class type control subscriber PPP do-until-failure
   10 activate dynamic-template TPL
  ! 
 ! 
 event session-activate match-first
  class type control subscriber PPP do-until-failure
   10 authenticate aaa list default
  ! 
 ! 
 end-policy-map
!

marce1000 · ‎06-20-2022

- It's kind of 'dark shot' , but using latest advisory release : https://software.cisco.com/download/home/286326412/type/280805694/release/7.5.2 , can always be useful to check if the problem is 'persistent'

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

anas.abdullkarim · ‎06-20-2022

Hello, i try two versions

6.4.2 and 6.6.3 and same issue,

maybe session need license?

anas.abdullkarim · ‎06-20-2022

user from 1 to 987 is connected,

user988 and above is not connected

User name:                user988
Formatted User name:      unknown
Client User name:         unknown
Outer VLAN ID:            1800
Inner VLAN ID:            100
Subscriber Label:         0x04009428
Created:                  Tue Jun 21 00:32:06 2022
State:                    Disconnecting, Tue Jun 21 00:32:06 2022

Disconnect Reason:
Disconnect Cause:         AAA_DISC_CAUSE_DEFAULT (0)
Abort Cause:              AAA_AV_ABORT_CAUSE_NO_REASON (0)
Terminate Cause:          AAA_AV_TERMINATE_CAUSE_NONE (0)
Disconnect called by:     ppp_ma
Authentication:           unauthenticated
Authorization:            unauthorized
Ifhandle:                 0x0a038540
Session History ID:       0
Access-interface:         TenGigE0/3/0/1.1800
Disconnect Requesters:    0x00000030 {PPPoE,PPP}
Disconnect Helpers:       0x00000000 {}
SRG Flags:                0x00000000(N)
SRG Group ID:             0
Prepaid State:            (Disabled)
Policy Executed:

event Session-Start match-first [at 1655760726]
 class type control subscriber PPP do-until-failure [Succeeded]
 10 activate dynamic-template QINQ [cerr: No error][aaa: Success]
event Session-Activate match-first [at 1655760737]
 class type control subscriber PPP do-until-failure [Succeeded]
 10 authenticate aaa list default [cerr: No error][aaa: Success]
Session Accounting: disabled
Last COA request received: unavailable
User Profile received from AAA: None
Pending Callbacks: PPSM->Subdb-DESTROY,PPSM-Sub>Policy-Disc,Policy-Disc>PPSM,
Services:
  Name        : QINQ
  Service-ID  : 0x4000003
  Type        : Template
  Status      : Applied
[Event History]
   Jun 21 00:32:18.304 Service status update [many]
-------------------------
[Event History]
   Jun 21 00:32:06.656 SUBDB session create
   Jun 21 00:32:17.280 Session activate
   Jun 21 00:32:17.280 Authentication req
   Jun 21 00:32:17.408 Authentication res
   Jun 21 00:32:18.304 SUBDB produce done(fail)
   Jun 21 00:32:18.304 SUBDB produce done Start [many]
   Jun 21 00:32:18.304 SUBDB produce done [many]
   Jun 21 00:32:18.432 SUBDB destroy