on 11-07-2011 01:58 PM
In this document we're walking through a configuration setting up BNG for IPoE and PPPoE. The Setup for this configuration is similar to the setup you can see in the YouTube video for an ip sessions demo.
Detailed description of how to set up the configuration and the options establishing PPPoE and IPoE sessions. Understanding the anatomy of a control policy language.
hostname A9K-BNG
radius-server host 3.0.0.38 auth-port 1645 acct-port 1646
!Radius-server definition with ip address and UDP ports it is going to !use.
key 7 045802150C2E
!Secret key for the radius communication
timeout 1
!Maximum time waiting for response
retransmit 1
!Maximum number of times you retransmit the request, after waiting <timeout> time.
!COA server definition
aaa server radius dynamic-author
port 1700
!COA port is standard 1700
client 3.0.0.1 vrf default server-key 7 13061E010803
client 10.86.1.49 vrf default server-key 7 14141B180F0B
!The clients from which we are going to accept a COA Response.
!Attribute definitions that we can reference for the nas-port
!building.
!”MY_AUTH” will take the mac address, circuit ID and remoteIDand
!append them together separated by hash signs. If one of the fields is
!not available, an empty string will be provided for that portion.
!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote
!
aaa attribute format MY_AUTH
mac-address plus circuit-id plus remote-id separator #
!
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
! Nas-port computation for PPPoE(32) and if not pppoe then follow the
! global (non typed) logic
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
!Set up the XR nas-port-id (attr87) for sessions following the nas-
!port format instructions above.
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
!Set up for AAA usage. Note that we don’t have “aaanew-model” in
!XR. Also “subscriber” is used for BNG. Method “PPP” is used for
!serial PPP.
aaa authorization subscriber default group radius
aaa authentication subscriber default group radius
!DHCP configuration
dhcp ipv4
!specify a profile name and define what method is used, relay, proxy
!or snooping.
profile AutoSelectGiaddr proxy
!Different classes may be defined. This is not necessarily the
!vendor class, but here we can check certain options in the discover
!to selectively set the helper address and giaddr. That last one
!will affect the pool we’re going to use on the dhcp server.
class HardPhone1
match option 60 hex 4861726450686F6E6531 mask 0
!the option 60 is vendor-class followed by a hex string. I chose it
!to match the “class” section from the line above, but that is not
!necessary. The mask defines which bytes are must match and don’t
!cares. Mask of 0 means full match.
helper-address vrf default 81.1.1.2 giaddr10.1.1.254
!
class HardPhone2
match option 60 hex 4861726450686F6E6532 mask 0
helper-address vrf default 81.1.1.2 giaddr172.28.15.254
!
relay information option
relay information policy replace
relay information option remote-id testme
relay information option allow-untrusted
! This configuration above defines the option 82 handling.
! Allow untrustedmeans that we accept dhcp discovers with a 0.0.0.0
! giaddr, which is normally the case when there is no relay between
! the client and the 9k.
Relay information Policy:
Case # | Received Packet Option-82 Suboptions | Configured Option-82 Suboptions | Forwarded Packet Option-82 Suboptions for Full-Option-82 keep | Forwarded Packet Option-82 Suboptions for Individual-Suboption keep | Forwarded Packet Option-82 Suboptions for replace | ||||||||||
1 | “rx-cid” | “rx-rid” | “in-rid” | vpn-id | “rx-cid” | “rx-rid” | “rx-cid” | “rx-rid” | vpn-id | “rx-cid” | “in-rid” | vpn-id | |||
2 | “rx-cid” | “in-rid” | vpn-id | “rx-cid” | “rx-cid” | “in-rid” | vpn-id | “rx-cid” | “in-rid” | vpn-id | |||||
3 | “in-rid” | vpn-id | “in-rid” | vpn-id | “in-rid” | vpn-id | “in-rid” | vpn-id |
! Define the interfaces and the attached profiles
interface Bundle-Ether100.2 proxy profile AutoSelectGiaddr
interface Bundle-Ether1001.2 proxy profile AutoSelectGiaddr
!
pppoe bba-group X
tag ppp-max-payload minimum 1200 maximum 2000
service selection disable
! PPPoE group definition. Currently there is limited service selection
!support (just matching on service name). The COS values for PPPoE
!control can be defined here and the processing/support for max-
!payload tag. In IOS you could configure the processing of vendor-tags
!and strip them selectively. In XR we always process the tags and we
!always strip them from a PADR
!IP address pool definition
pool vrf default ipv4 POOL
address-range 199.1.1.1 199.1.255.255
!
!The dynamic templates are like IOS virtual-templates. The base !configuration for each session is defined here. L3 features as well !as PPP specific parameters are defined here.
dynamic-template
type ppp TPL
ppp authentication chap
ppp ipcp dns 1.2.3.4 1.2.3.3
ppp ipcp peer-address pool POOL
ipv4 unnumbered Loopback1000
!
type ipsubscriberIPSUB
ipv4 unnumbered Loopback12
ipv4 access-group IPSUB_FAIL_ACL ingress
ipv4 access-group IPSUB_FAIL_ACL egress
!Few ACL definitions referenced in the radius profile, qos class-maps
!or in the dynamic template.
ipv4 access-list PERM_ALL
10 permit ipv4 any any
20 permit icmp any any
!
ipv4 access-list lab-video
20 permit udp any any eq 5544
30 permit udp host 49.1.1.2 any
!
ipv4 access-list IPSUB_FAIL_ACL
5 permit icmp any any
10 permit tcp any host 49.1.1.2 eqwww
15 permit tcp host 49.1.1.2 eqwww any
20 deny ipv4 any any
!QOS class-map used in COA parameterized QOS requests
!remember that with pQOS you can define the policy-map via RADIUS,
!however you need to define your class-maps locally in XR.
class-map match-any VIDEO
match access-group ipv4 lab-video
end-class-map
!
class-map match-any 3play-voip
match access-group ipv4 telnet
end-class-map
!These are the class-maps used later in the control policy. You can
!match on various aspects of the interface/session. Like username,
!domain. In this case we have simple class-maps that match on the
!protocol so we are doing to differentiate between PPP and IPsubs
!
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
!
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
!
!In this sample class-map we are taking the username and apply a
!separator switch on it as defined in the “format DOMAIN” attribute
!definition and see if that domain name matches “vrf_vpn”
class-map type control subscriber match-any matchdomain
match domain vrf_vpn format DOMAIN
end-class-map
!
!This is the most important part, the XR control Policy.
policy-map type control subscriber sub
event session-start match-first
!
!Events: during the session life time, various events are triggered. !In this case a session-start event we provide a handler for. This is
!the reception of a PADI for pppoe sessions or a dhcp discover for IP
!sessions.
!The match-first describes that we are only handling one class of the !event, and the class that we match first.
!This as opposed to match-all, which means that we will traverse all
!classes to see if they match and execute the actions defined
!underneath the class.
!
Event | What does it do or when is it triggered? |
session-start | when we get the first sign of life (for pppoe that is at PADR) |
session-activate | This is done at the authentication phase – i.e. when we’ve got the username/password (or challenge/response) (PPPoE ONLY) |
authentication-failure* | when we receive an access-reject from radius |
authentication-no-response | when the method list for authentication request does not return any response (success/reject) |
authorize-failure* | when we receive an access-reject from radius |
authorize-no-response | when the method list for authen or author does not return any response (success/reject) |
service-stop | when a service that is applied to the session is removed or stopped |
class type control subscriber CLASS do-until-failure
!
!CLASS: Underneath that event, we define the classes. In this example
!I created 2 classes to match specifically on DHCP and PPP sessions.
!I can have 1 control policy with 1 event, and then the class
!differentiator to determine what I want to do specifically/separately
!for both session types.
!
Do until? | What does it do? |
do-until-failure | Until we receive a failure (eg access reject or no radius response or feature application failure) We stop the execution. |
do-until-success | When we successfully executed the task we stop. |
do-all | Regardless of the success or failure all actions are executed |
!
10 activate dynamic-template TPL
!
!Activation of the dynamic template configuration. PPP will take the !LCP parameters and auth protocol from there.
!
!Class-actions:
!
event session-activate match-first
class type control subscriber CLASS do-until-failure
10 activate dynamic-template TPL
20 authenticate aaa list default
Note: Because authenticate uses the line username, it is generally useless on the session-start event, the authorize with which you compose the username based on mac/circuit id etc is very useful in both session start and activate
!
!
end-policy-map
!
policy-map type control subscriber ipsub
event session-start match-first
class type control subscriber DHCP do-until-failure
10 authorize aaa list default identifier source-address-mac password cisco
! Use the authorize here to compose the username to be sent to
! radius. In this case we use pw cisco as the password.
!
end-policy-map
! Define the bundle-ether master and configure for destination ip
! based loadbalancing, this so each subscriber hashes all its traffic ! onto one member only for accurate QOS
interface Bundle-Ether100
bundle load-balancing hash dst-ip
! The IP session interface must have an ip address. This in order to
! accept ip packets, the dhcpdiscover.
! If the unicast flag is set, like in MAC OSX or WXP (IOS dhcp client
! leaves the broadcast flag), then this address MUST be the same as
! the subnet for the ip sessions. If it is not the same we can’t
! unicast the offer.
interface Bundle-Ether100.2
ipv4 address 87.78.77.1 255.255.255.0
service-policy type control subscriber ipsub_fancy_auth
encapsulation dot1q 2
ipsubscriber ipv4 l2-connected
initiator dhcp
initiator unclassified-source
!
! Define the bundle sub interface for the right vlan, enable for PPPoE
! via the bba-group and attach the control policy
interface Bundle-Ether100.20
service-policy type control subscriber sub
pppoe enable bba-group X
encapsulation dot1q 20
! Loopback interface for ppp sessions
interface Loopback1000
ipv4 address 101.101.1.1 255.255.255.255
!
interface GigabitEthernet0/0/0/19
! Enable LACP on the bundle member and set it to bundle-e100
bundle id 100 mode active
load-interval 30
!
interface GigabitEthernet0/1/0/19
! Enable LACP on the bundle member and set it to bundle-e100
bundle id 100 mode active
load-interval 30
Show command verification
RP/0/RSP0/CPU0:A9K-BNG#show subscr ses all det
Mon Nov 7 17:20:27.701 EDT
Interface: Bundle-Ether100.2.ip5
Circuit ID:
Remote ID: testme
Type: IP: DHCP-trigger
IP Address: 172.28.15.1, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000044
Nas-Port: 67108896
Username: unknown
Subscriber Label: 0x00000044
Created: Thu Nov 3 16:26:33 2011
State: Activated
Authentication: unauthenticated
Access-interface: Bundle-Ether100.2
Policy Executed:
policy-map type control subscriber ipsub_fancy_auth
event Session-Start match-first [at Thu Nov 3 16:26:33 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: None
Interface: Bundle-Ether100.100.pppoe2
Circuit ID: Unknown
Remote ID: Unknown
Type: PPPoE:PTA
IP Address: 199.1.1.2, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000145
Nas-Port: 67110466
Username: test
Subscriber Label: 0x00000145
Created: Thu Nov 3 16:28:10 2011
State: Activated
Authentication: authenticated
Access-interface: Bundle-Ether100.100
Policy Executed:
policy-map type control subscriber sub
event Session-Start match-first [at Thu Nov 3 16:28:10 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
event Session-Activate match-first [at Thu Nov 3 16:28:31 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
20 authenticate aaa list default [Succeeded]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: 0x500c0d24
1: service-type len= 4 value= Framed
2: sub-qos-policy-out len= 5 value= shape
XR43 starts to see more and more snmp support for the bng solution.
the subscriber mib is there (and the aaa server mib), but I believe only for ppp sessions which holds some info useful.
other stuff for ip sessions, dhcp bindings, ip pools and the like are 5x deliverables.
lease proxy would "rewrite" the received lease time from the server to the configured value to the client.
the client will renew against the bng at half lease time configured.
at half lease time from the server we'd be relaying that dhcp renew to the server.
so it only works for new sessions established after the config change.
regards
xander
I always reastablish the session when I change the dhcp lease, but it still does not change, really weird.
I have to look a little bit deeper into that.
hmm that is interesting. If this is a lab environment, maybe it is easy for you to capture some traces.
The most important ones are the debug dhcp ipv4 proxy err/ev and debug dhcp ipv4 packet.
A sniffer capture from your client would be good to have also to see what it is receiving from the proxy/bng.
When you have those traces, it might be best to open a tac case with that info as that is easier to work on a case like this
then via the support forums.
regards
xander
Ok, I will do that as soon I done with other test I have to do on this BNG.
600 seconds is ok, but I would like to be able to change it.
Thank you Alexander.
Hello Xander,
I have again a few questions for you.
First one is if it's possible to deauthenticate the user without terminating the session (logoff)?
For exampe, user has logged in the Captive Portal, after some time he wants to logout, so he can login later again.
Using logoff the session is being terminated and maybe some CPE will not detect that and will not send DHCP discovery again, or the users has to reconnect the cable again. That is why we would like to set the authentication status to "unauthenticated" again.
Second questions is about VRF. Is it possible to put the user in a VRF with help of RADIUS attributes?
We have this setup on Ericsson Redback 800. While testing the Cisco BNG I used "vrf forwarding" on the access interface because it's a L3 interface, and user was automatically in the VRF because of the access interface.
hey there!
yes you can, you can send an account log off no problem! this just moves the state of the subscriber to "unauthenticated" but doesn't remove the services (by default) or release the binding.
It does trigger an event in the policy that you can use to apply some other services; eg an ACL, HTTP-R, low qos stuff like that.
Yup, you can put a user in a vrf via radius also. VRF xfer via COA is not possible however.
the atts are avpairs:
ipv4:ipv4-unnumbered and ipv4:vrf-id=...
cheers
xander
Hmm, I used this line:
coa_w32.exe -n 10.100.11.6 -p 1700 -k BNGCOA -1 44,0000006c -2 26,9,1,subscriber:command=account-logoff
and it terminated my session (it disappeared on BNG), after 30-60 seconds it appeared again because the CPE (Linksys Wifi Router) reconnected again.
Is there an another attribute that I can use to set authentication status to "unauthenticated"?
And regarding VRF. I was using "vrf forwaring" under the access interface. Is this needed?
You said that it's possible to put the user in corresponding VRF with vrf attribute. What kind of config do I need for that?
Something like this one:
interface Bundle-Ether992.3127
description # IPSUB #
ipv4 point-to-point
ipv4 unnumbered Loopback30
NO VRF INTERNET HERE
service-policy type control subscriber IP_SUB_PMAP
encapsulation dot1q 3127
ipsubscriber ipv4 l2-connected
initiator dhcp
initiator unclassified-source
interface Loopback30
vrf Internet
ipv4 address 10.100.30.1 255.255.255.0
dynamic-template
type service HTTP_FORCE_REDIRECT
service-policy type pbr HTTP_REDIRECT_PBR
!
type ipsubscriber IPSUB_TEMPLATE
vrf Internet
accounting aaa list default type session
ipv4 unnumbered Loopback30
I think that it is the same with PPPoE?
btw. customer has deceided to buy two ASR9006 for BNG usage
Hello!
I am trying to set up BNG on ASR90001 SW version 4.3.1.
It's my config:
hostname ISG-10G
telnet vrf Mgmt ipv4 server max-servers 10
radius source-interface TenGigE0/0/2/0.11 vrf default
radius-server host 10.101.10.2 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxxxxxxxx
!
aaa server radius dynamic-author
ignore server-key
client 10.101.10.2 vrf default
server-key 7 xxxxxxx
!
!
aaa attribute format LOGIN
remote-id plus circuit-id
!
aaa radius attribute nas-port format e VVVVVVVVUUUUUUUUUUUUUUUUUUUUUUUU
aaa accounting subscriber default group radius
aaa authorization subscriber default group radius
aaa authentication subscriber default group radius
cdp
vrf Mgmt
!
line console
exec-timeout 0 0
length 0
!
line default
exec-timeout 10000 0
absolute-timeout 10000
!
dhcp ipv4
profile DHCP proxy
helper-address vrf default 10.100.100.1 giaddr 192.168.1.1
relay information option
relay information policy keep
relay information option allow-untrusted
!
interface TenGigE0/0/2/0.120 proxy profile DHCP
!
interface Loopback100
ipv4 address 192.168.1.1 255.255.255.0
!
interface MgmtEth0/RSP0/CPU0/0
cdp
vrf Mgmt
ipv4 address 10.1.10.175 255.255.255.0
!
interface MgmtEth0/RSP0/CPU0/1
!
interface TenGigE0/0/2/0
cdp
mac-address 2.fc73.101b
!
interface TenGigE0/0/2/0.11
ipv4 address 10.11.11.10 255.255.255.224
encapsulation dot1q 11
!
interface TenGigE0/0/2/0.120
ipv4 point-to-point
ipv4 unnumbered Loopback100
service-policy type control subscriber ISG
encapsulation dot1q 120
ipsubscriber ipv4 l2-connected
initiator dhcp
!
!
interface TenGigE0/0/2/1
shutdown
!
interface TenGigE0/0/2/2
shutdown
!
interface TenGigE0/0/2/3
shutdown
!
router static
address-family ipv4 unicast
0.0.0.0/0 10.11.11.1
!
vrf Mgmt
address-family ipv4 unicast
0.0.0.0/0 10.1.1.254
!
!
!
router ospf 1
redistribute connected
area 1
interface TenGigE0/0/2/0.11
!
!
!
dynamic-template
type ipsubscriber FTTX
accounting aaa list default type session
ipv4 unnumbered Loopback100
!
!
!
class-map type control subscriber match-any IPoE
match protocol dhcpv4
end-class-map
!
policy-map type control subscriber ISG
event session-start match-first
class type control subscriber IPoE do-until-failure
10 activate dynamic-template FTTX
20 authorize aaa list default format LOGIN password ISG
!
end-policy-map
!
end
I use DHCP option82.
All works good till authorization. Access reqest goes to RADIUS, it answers with accept or reject and I don't see answer on ASR. I sniffed trafic on switch's port in wich ASR is connected and I see packets from RADIUS, but:
sh radius
Thu Aug 22 15:10:30.678 MEST
Global dead time: 0 minute(s)
Number of Servers:1
Server: 10.101.10.2/1812/1813 is UP
Total Deadtime: 0s Last Deadtime: 0s
Timeout: 5 sec, Retransmit limit: 3
Quarantined: No
Authentication:
33 requests, 0 pending, 99 retransmits
0 accepts, 0 rejects, 0 challenges
132 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
Throttled: 0 transactions, 0 timeout, 0 failures
Estimated Throttled Access Transactions: 0
Maximum Throttled Access Transactions: 0
DEBUG:
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Received request [handle 0x504f4370] with server-group : default
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Building header for the Authorization request
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: radius_get_prfrd_srvr_info: Retrive Preferred Server info from attr list
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: radius_get_prfrd_srvr_info: Preferred server handle is set to NULL
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: (handle_nas_req) Couldn't retrive the preferred server info
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Trying to find the first radius server to use.
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Created transaction_id (69000030) for server group 6F000000
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Picking the rad id 253:1 sockfd 0x504D8E6C
LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: rctx 0x50466d00 added successfully
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Send Access-Request to 10.101.10.2:1812 id 253, len 409
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: authenticator 20 DE 84 08 7E DC CC 1B - DF 23 C2 1A 2D B9 8F B1
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Cisco [26] 41
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Cisco AVpair [1] 35 client-mac-address=1cc1.dea0.2760
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Unknown [26] 24 Unsupported[2] 18
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Cisco [26] 38
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Cisco AVpair [1] 32 remote-id-tag=0006f4ec38aa2636
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Unknown [26] 20 Unsupported[1] 14
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Cisco [26] 35
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Cisco AVpair [1] 29 circuit-id-tag=00040078000a
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Cisco [26] 34
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Cisco AVpair [1] 28 dhcp-vendor-class=MSFT 5.0
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Acct-Session-Id [44] 10 040000d3
LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: NAS-Port [5] 6 2013265920
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: NAS-Port-Id [87] 14 130/10/0/120
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Vendor,Cisco [26] 20
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: cisco-nas-port [2] 14 130/10/0/120
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: User-Name [1] 31 0006f4ec38aa2636:00040078000a
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Service-Type [6] 6 Outbound[5]
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: User-Password [2] 18 *
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Vendor,Cisco [26] 33
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Cisco AVpair [1] 27 parent-if-handle=67110080
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: NAS-Port-Type [61] 6 IPOEOVLAN[40]
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Called-Station-Id [30] 14 00040078000a
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Calling-Station-Id [31] 18 0006f4ec38aa2636
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Event-Timestamp [55] 6 1377173723
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Nas-Identifier [32] 9 BNG
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: NAS-IP-Address [4] 6 10.11.11.10
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: Got global deadtime 0
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: Using global deadtime = 0 sec
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: Start timer thread rad_ident 253 remote_port 1812 remote_addr 0xa650a02, socket 1347260012 rctx 0x50466d00
LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: Successfully sent packet and started timeout handler for rctx 0x50466d00
I.e. ASR drops packets from RADIUS, but I don't know how to hix it. Please help me to resolve this problem!!
Hi Andrew, you have this :
interface TenGigE0/0/2/0.120
ipv4 point-to-point
ipv4 unnumbered Loopback100
service-policy type control subscriber ISG
that is LC based subscribers which we dont support yet.
you need to move it to a bundle configuration something like
interface TenGigE0/0/2/0
bundle id 100 mode on
!disables lacp single member
int bundle-e100
int bundle-e100.120
ipv4 point-to-point
ipv4 unnumbered Loopback100
service-policy type control subscriber ISG
xander
Xander thanks!!
You really helped me! It works!
Awesome!! thanks for letting me know Andrew!!
xander
Hello Xander! I need your help again.
Now RADIUS give me accept, but there is a problem with forwarding DHCP discover to DHCP server.
dhcp ipv4
profile DHCP proxy
helper-address vrf default 10.100.100.1 giaddr 192.168.1.1
relay information option
relay information policy keep
relay information option allow-untrusted
!
interface Bundle-Ether4.120 proxy profile DHCP
DHCP server is routable, I can ping it. But I don't see any packets from BNG.
192.168.1.1 belongs to Loopback100
This I see in debug:
RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Send Access-Request to 10.101.10.2:1812 id 101, len 398
RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: authenticator 94 2C AF 79 53 20 7C 46 - 22 7A 3C 01 87 CF F3 AB
RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 41
RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 24
RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 38
RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 20
RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Acct-Session-Id [44] 10 0000045d
RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 34
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: NAS-Port [5] 6 2013265920
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Vendor-Specific [26] 17
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: User-Name [1] 31 0006f4ec38aa2636:00040078000a
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: NAS-Port-Id [87] 11 0/0/4/120
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Service-Type [6] 6 Outbound[5]
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: User-Password [2] 18 *
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: NAS-Port-Type [61] 6 VIRTUAL_IPOEOVLAN[43]
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Vendor-Specific [26] 28
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Calling-Station-Id [31] 18 0006f4ec38aa2636
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Called-Station-Id [30] 14 00040078000a
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Event-Timestamp [55] 6 1377240459
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Nas-Identifier [32] 9 BNG
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: NAS-IP-Address [4] 6 217.19.208.40
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: Got global deadtime 0
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: Start timer thread rad_ident 101 remote_port 1812 remote_addr 0xa650a02, socket 1342478092 rctx 0x501c6f38
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: Using global deadtime = 0 sec
RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: Successfully sent packet and started timeout handler for rctx 0x501c6f38
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: rctx found is 0x501c6f38
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: Radius packet decryption complete with rc = 0
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Received from id 101 10.101.10.2:1812, Access-Accept, len 713
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: authenticator A0 48 D8 80 89 9A 5E 59 - 93 02 3C 0A B5 4A 59 60
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 33
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 43
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 43
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 43
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 58
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 30
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 36
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 36
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 31
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Service-Type [6] 6 Outbound[5]
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: Freeing server group transaction_id (5F000011)
RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: pack_length = 713 radius_len = 713
RP/0/RSP0/CPU0:Aug 23 09:47:39.496 : radiusd[1100]: rad_nas_reply_to_client: Received response from id : 101,packet type 2
RP/0/RSP0/CPU0:Aug 23 09:47:39.496 : radiusd[1100]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS
RP/0/RSP0/CPU0:Aug 23 09:47:39.496 : radiusd[1100]: (rad_nas_reply_to_client) Successfully stored the preferred server info
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1984: Session create response received from DPM: sub_label 0x0 (0)
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1225: Process packet event, client mode: PROXY
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1904: Init handler called for chaddr 1cc1.dea0.2760 with event DROP-PACKET
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1961: DISCOVER from chaddr 1cc1.dea0.2760 in proxy mode dropped
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_process_event: Init handler success
And:
sh dhcp ipv4 proxy statistics
Fri Aug 23 10:20:26.980 MEST
VRF | RX | TX | DR |
-------------------------------------------------------------------------------------------
default | 91 | 0 | 91 |
**nVSatellite | 0 | 0 | 0 |
Mgmt | 0 | 0 | 0 |
I don't understand why router drops discovers....
And I also tried to use relay profile:
dhcp ipv4
profile DHCP relay
helper-address vrf default 10.100.100.1
relay information option
relay information policy keep
relay information option allow-untrusted
!
interface Bundle-Ether4.120 relay profile DHCP
interface Bundle-Ether4.120
ipv4 point-to-point
ipv4 unnumbered Loopback100
service-policy type control subscriber ISG
encapsulation dot1q 120
ipsubscriber ipv4 l2-connected
initiator dhcp
policy-map type control subscriber ISG
event session-start match-first
class type control subscriber IPoE do-until-failure
10 activate dynamic-template FTTX
20 authorize aaa list default format LOGIN password ISG
!
!
event authorization-failure match-first
class type control subscriber IPoE do-until-failure
10 activate dynamic-template HTTP_FORCE_REDIRECT
!
!
event timer-expiry match-first
class type control subscriber AUTH_TIMER_CM do-until-failure
10 disconnect
!
!
end-policy-map
In this case I get IP from DHCP server, but I don't see requests to RADIUS...
Don't know what to do without your help....
Hi there,
I've experienced this before, from my prespective, DHCP process won't work until radius give access-accept message.
try "sh dhcp ipv4 proxy binding" to make sure that you already get the dhcp address for subs, also "show radius authentication" for radius session
if radius already give access-accept, might be something happen from dhcp service itself, or any policy between BNG and dhcp server, seems the configuration are quite similar with mine.
try also these debugs to verify packet flow:
debug radius authentication
debug dhcp ipv4 proxy events
debug dhcp ipv4 errors
As you can see brom my above post - radius give me accept. But discover is not forwarded to DHCP server and in bedug I see this:
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1904: Init handler called for chaddr 1cc1.dea0.2760 with event DROP-PACKET
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf
RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1961: DISCOVER from chaddr 1cc1.dea0.2760 in proxy mode dropped
Also from debug commands that you have requested I see this:
RP/0/RSP0/CPU0:Aug 23 13:15:29.683 : dhcpd[1068]: DHCPD ERROR: TP2468: rib route delete failed, null ifhandle or IPv4 address
But I think it's because there no leases in DHCP pool.
Result of "sh dhcp ipv4 proxy binding" is empty
show radius authentication
Fri Aug 23 13:18:05.899 MEST
Server: 10.101.10.2, port: 1812/
144 requests, 0 pending, 0 retransmits
144 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 8 ms latest rtt
Throttled: 0 transactions, 0 timeout, 0 failures
Estimated Throttled Access Transactions: 0
Maximum Throttled Access Transactions: 0
So, in debug I see "event DROP-PACKET" and don't know how to resolve this.
When I removed "service-policy type control subscriber ISG" from interface - I got IP from DHCP.
May be something is wrong in service-policy or dynamic-template......
policy-map type control subscriber ISG
event session-start match-first
class type control subscriber IPoE do-until-failure
10 activate dynamic-template FTTX
20 authorize aaa list default format LOGIN password ISG
!
!
event authorization-failure match-first
class type control subscriber IPoE do-until-failure
10 activate dynamic-template HTTP_FORCE_REDIRECT
!
!
event timer-expiry match-first
class type control subscriber AUTH_TIMER_CM do-until-failure
10 disconnect
!
!
end-policy-map
dynamic-template
type service HTTP_FORCE_REDIRECT
service-policy type pbr HTTP_REDIRECT_PBR
!
type ipsubscriber FTTX
ipv4 unnumbered Loopback100
!
which version you use for bng ? traceback from beginning, i asssume you already install bng license and configure the license into approriate linecard.
try to remove this command first on policy-map and dynamic template and see the result :
event authorization-failure match-first
class type control subscriber IPoE do-until-failure
10 activate dynamic-template HTTP_FORCE_REDIRECT
!
!
event timer-expiry match-first
class type control subscriber AUTH_TIMER_CM do-until-failure
10 disconnect
!
!
type service HTTP_FORCE_REDIRECT
service-policy type pbr HTTP_REDIRECT_PBR
!
and capture the output of "show subscriber session all"
btw, have you also sniff the packet on dhcp server itself ??
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: