ASR9000 Understanding the BNG configuration (a walkthrough) - Page 4

xthuijs · ‎11-07-2011

Introduction

In this document we're walking through a configuration setting up BNG for IPoE and PPPoE. The Setup for this configuration is similar to the setup you can see in the YouTube video for an ip sessions demo.

Problem Description

Detailed description of how to set up the configuration and the options establishing PPPoE and IPoE sessions. Understanding the anatomy of a control policy language.

Setup

Configuration and Explanations

hostname A9K-BNG

radius-server host 3.0.0.38 auth-port 1645 acct-port 1646

!Radius-server definition with ip address and UDP ports it is going to !use.

key 7 045802150C2E

!Secret key for the radius communication

timeout 1

!Maximum time waiting for response

retransmit 1

!Maximum number of times you retransmit the request, after waiting <timeout> time.

!COA server definition

aaa server radius dynamic-author

port 1700

!COA port is standard 1700

client 3.0.0.1 vrf default server-key 7 13061E010803

client 10.86.1.49 vrf default server-key 7 14141B180F0B

!The clients from which we are going to accept a COA Response.

!Attribute definitions that we can reference for the nas-port

!building.

!”MY_AUTH” will take the mac address, circuit ID and remoteIDand

!append them together separated by hash signs. If one of the fields is

!not available, an empty string will be provided for that portion.

!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote

!

aaa attribute format MY_AUTH

mac-address plus circuit-id plus remote-id separator #

!

aaa attribute format NAS_PORT_FORMAT

circuit-id plus remote-id separator .

! Nas-port computation for PPPoE(32) and if not pppoe then follow the

! global (non typed) logic

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU

!Set up the XR nas-port-id (attr87) for sessions following the nas-

!port format instructions above.

aaa radius attribute nas-port-id format NAS_PORT_FORMAT

!Set up for AAA usage. Note that we don’t have “aaanew-model” in

!XR. Also “subscriber” is used for BNG. Method “PPP” is used for

!serial PPP.

aaa authorization subscriber default group radius

aaa authentication subscriber default group radius

!DHCP configuration

dhcp ipv4

!specify a profile name and define what method is used, relay, proxy

!or snooping.

profile AutoSelectGiaddr proxy

!Different classes may be defined. This is not necessarily the

!vendor class, but here we can check certain options in the discover

!to selectively set the helper address and giaddr. That last one

!will affect the pool we’re going to use on the dhcp server.

class HardPhone1

match option 60 hex 4861726450686F6E6531 mask 0

!the option 60 is vendor-class followed by a hex string. I chose it

!to match the “class” section from the line above, but that is not

!necessary. The mask defines which bytes are must match and don’t

!cares. Mask of 0 means full match.

helper-address vrf default 81.1.1.2 giaddr10.1.1.254

!

class HardPhone2

match option 60 hex 4861726450686F6E6532 mask 0

helper-address vrf default 81.1.1.2 giaddr172.28.15.254

!

relay information option

relay information policy replace

relay information option remote-id testme

relay information option allow-untrusted

! This configuration above defines the option 82 handling.

! Allow untrustedmeans that we accept dhcp discovers with a 0.0.0.0

! giaddr, which is normally the case when there is no relay between

! the client and the 9k.

Relay information Policy:

Case #

Received Packet

Option-82 Suboptions

Configured

Option-82 Suboptions

Forwarded Packet

Option-82 Suboptions

for Full-Option-82 keep

Forwarded Packet

Option-82 Suboptions

for Individual-Suboption keep

Forwarded Packet

Option-82 Suboptions

for replace

1

“rx-cid”

“rx-rid”

“in-rid”

vpn-id

“rx-cid”

“rx-rid”

“rx-cid”

“rx-rid”

vpn-id

“rx-cid”

“in-rid”

vpn-id

2

“rx-cid”

“in-rid”

vpn-id

“rx-cid”

“in-rid”

vpn-id

“rx-cid”

“in-rid”

vpn-id

3

“in-rid”

vpn-id

“in-rid”

vpn-id

“in-rid”

vpn-id

“in-rid”

vpn-id

! Define the interfaces and the attached profiles

interface Bundle-Ether100.2 proxy profile AutoSelectGiaddr

interface Bundle-Ether1001.2 proxy profile AutoSelectGiaddr

!

pppoe bba-group X

tag ppp-max-payload minimum 1200 maximum 2000

service selection disable

! PPPoE group definition. Currently there is limited service selection

!support (just matching on service name). The COS values for PPPoE

!control can be defined here and the processing/support for max-

!payload tag. In IOS you could configure the processing of vendor-tags

!and strip them selectively. In XR we always process the tags and we

!always strip them from a PADR

!IP address pool definition

pool vrf default ipv4 POOL

address-range 199.1.1.1 199.1.255.255

!

!The dynamic templates are like IOS virtual-templates. The base !configuration for each session is defined here. L3 features as well !as PPP specific parameters are defined here.

dynamic-template

type ppp TPL

ppp authentication chap

ppp ipcp dns 1.2.3.4 1.2.3.3

ppp ipcp peer-address pool POOL

ipv4 unnumbered Loopback1000

!

type ipsubscriberIPSUB

ipv4 unnumbered Loopback12

ipv4 access-group IPSUB_FAIL_ACL ingress

ipv4 access-group IPSUB_FAIL_ACL egress

!Few ACL definitions referenced in the radius profile, qos class-maps

!or in the dynamic template.

ipv4 access-list PERM_ALL

10 permit ipv4 any any

20 permit icmp any any

!

ipv4 access-list lab-video

20 permit udp any any eq 5544

30 permit udp host 49.1.1.2 any

!

ipv4 access-list IPSUB_FAIL_ACL

5 permit icmp any any

10 permit tcp any host 49.1.1.2 eqwww

15 permit tcp host 49.1.1.2 eqwww any

20 deny ipv4 any any

!QOS class-map used in COA parameterized QOS requests

!remember that with pQOS you can define the policy-map via RADIUS,

!however you need to define your class-maps locally in XR.

class-map match-any VIDEO

match access-group ipv4 lab-video

end-class-map

!

class-map match-any 3play-voip

match access-group ipv4 telnet

end-class-map

!These are the class-maps used later in the control policy. You can

!match on various aspects of the interface/session. Like username,

!domain. In this case we have simple class-maps that match on the

!protocol so we are doing to differentiate between PPP and IPsubs

!

class-map type control subscriber match-any PPP

match protocol ppp

end-class-map

!

class-map type control subscriber match-any DHCP

match protocol dhcpv4

end-class-map

!

!In this sample class-map we are taking the username and apply a

!separator switch on it as defined in the “format DOMAIN” attribute

!definition and see if that domain name matches “vrf_vpn”

class-map type control subscriber match-any matchdomain

match domain vrf_vpn format DOMAIN

end-class-map

!

!This is the most important part, the XR control Policy.

policy-map type control subscriber sub

event session-start match-first

!

!Events: during the session life time, various events are triggered. !In this case a session-start event we provide a handler for. This is

!the reception of a PADI for pppoe sessions or a dhcp discover for IP

!sessions.

!The match-first describes that we are only handling one class of the !event, and the class that we match first.

!This as opposed to match-all, which means that we will traverse all

!classes to see if they match and execute the actions defined

!underneath the class.

!

Event	What does it do or when is it triggered?
session-start	when we get the first sign of life (for pppoe that is at PADR)
session-activate	This is done at the authentication phase – i.e. when we’ve got the username/password (or challenge/response) *(PPPoE ONLY)*
authentication-failure*	when we receive an access-reject from radius
authentication-no-response	when the method list for authentication request does not return any response (success/reject)
authorize-failure*	when we receive an access-reject from radius
authorize-no-response	when the method list for authen or author does not return any response (success/reject)
service-stop	when a service that is applied to the session is removed or stopped

class type control subscriber CLASS do-until-failure

!

!CLASS: Underneath that event, we define the classes. In this example

!I created 2 classes to match specifically on DHCP and PPP sessions.

!I can have 1 control policy with 1 event, and then the class

!differentiator to determine what I want to do specifically/separately

!for both session types.

!

Do until?	What does it do?
do-until-failure	Until we receive a failure (eg access reject or no radius response or feature application failure) We stop the execution.
do-until-success	When we successfully executed the task we stop.
do-all	Regardless of the success or failure all actions are executed

!

10 activate dynamic-template TPL

!

!Activation of the dynamic template configuration. PPP will take the !LCP parameters and auth protocol from there.

!

!Class-actions:

!

event session-activate match-first

class type control subscriber CLASS do-until-failure

10 activate dynamic-template TPL

20 authenticate aaa list default

Authenticate: Use the username and password from the line and send it to the servers defined in the list

Authorize: More flexible then authenticate, still the SAME radius request (access-request) but flexibly formatted with a username composed of different information such as domain, circuit-id, nas-port etc

Note: Because authenticate uses the line username, it is generally useless on the session-start event, the authorize with which you compose the username based on mac/circuit id etc is very useful in both session start and activate

!

end-policy-map

!

policy-map type control subscriber ipsub

event session-start match-first

class type control subscriber DHCP do-until-failure

10 authorize aaa list default identifier source-address-mac password cisco

! Use the authorize here to compose the username to be sent to

! radius. In this case we use pw cisco as the password.

!

end-policy-map

! Define the bundle-ether master and configure for destination ip

! based loadbalancing, this so each subscriber hashes all its traffic ! onto one member only for accurate QOS

interface Bundle-Ether100

bundle load-balancing hash dst-ip

! The IP session interface must have an ip address. This in order to

! accept ip packets, the dhcpdiscover.

! If the unicast flag is set, like in MAC OSX or WXP (IOS dhcp client

! leaves the broadcast flag), then this address MUST be the same as

! the subnet for the ip sessions. If it is not the same we can’t

! unicast the offer.

interface Bundle-Ether100.2

ipv4 address 87.78.77.1 255.255.255.0

service-policy type control subscriber ipsub_fancy_auth

encapsulation dot1q 2

ipsubscriber ipv4 l2-connected

initiator dhcp

initiator unclassified-source

!

! Define the bundle sub interface for the right vlan, enable for PPPoE

! via the bba-group and attach the control policy

interface Bundle-Ether100.20

service-policy type control subscriber sub

pppoe enable bba-group X

encapsulation dot1q 20

! Loopback interface for ppp sessions

interface Loopback1000

ipv4 address 101.101.1.1 255.255.255.255

!

interface GigabitEthernet0/0/0/19

! Enable LACP on the bundle member and set it to bundle-e100

bundle id 100 mode active

load-interval 30

!

interface GigabitEthernet0/1/0/19

! Enable LACP on the bundle member and set it to bundle-e100

bundle id 100 mode active

load-interval 30

Show command verification

RP/0/RSP0/CPU0:A9K-BNG#show subscr ses all det
Mon Nov 7 17:20:27.701 EDT
Interface: Bundle-Ether100.2.ip5
Circuit ID:
Remote ID: testme
Type: IP: DHCP-trigger
IP Address: 172.28.15.1, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000044
Nas-Port: 67108896
Username: unknown
Subscriber Label: 0x00000044
Created: Thu Nov 3 16:26:33 2011
State: Activated
Authentication: unauthenticated
Access-interface: Bundle-Ether100.2
Policy Executed:
policy-map type control subscriber ipsub_fancy_auth
event Session-Start match-first [at Thu Nov 3 16:26:33 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: None

Interface: Bundle-Ether100.100.pppoe2
Circuit ID: Unknown
Remote ID: Unknown
Type: PPPoE:PTA
IP Address: 199.1.1.2, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000145
Nas-Port: 67110466
Username: test
Subscriber Label: 0x00000145
Created: Thu Nov 3 16:28:10 2011
State: Activated
Authentication: authenticated
Access-interface: Bundle-Ether100.100
Policy Executed:
policy-map type control subscriber sub
event Session-Start match-first [at Thu Nov 3 16:28:10 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
event Session-Activate match-first [at Thu Nov 3 16:28:31 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
20 authenticate aaa list default [Succeeded]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: 0x500c0d24
1: service-type len= 4 value= Framed
2: sub-qos-policy-out len= 5 value= shape

Related Information

xthuijs · ‎08-02-2013

XR43 starts to see more and more snmp support for the bng solution.

the subscriber mib is there (and the aaa server mib), but I believe only for ppp sessions which holds some info useful.

other stuff for ip sessions, dhcp bindings, ip pools and the like are 5x deliverables.

lease proxy would "rewrite" the received lease time from the server to the configured value to the client.

the client will renew against the bng at half lease time configured.

at half lease time from the server we'd be relaying that dhcp renew to the server.

so it only works for new sessions established after the config change.

regards

xander

smailmilak · ‎08-02-2013

I always reastablish the session when I change the dhcp lease, but it still does not change, really weird.

I have to look a little bit deeper into that.

xthuijs · ‎08-02-2013

hmm that is interesting. If this is a lab environment, maybe it is easy for you to capture some traces.

The most important ones are the debug dhcp ipv4 proxy err/ev and debug dhcp ipv4 packet.

A sniffer capture from your client would be good to have also to see what it is receiving from the proxy/bng.

When you have those traces, it might be best to open a tac case with that info as that is easier to work on a case like this

then via the support forums.

regards

xander

smailmilak · ‎08-02-2013

Ok, I will do that as soon I done with other test I have to do on this BNG.

600 seconds is ok, but I would like to be able to change it.

Thank you Alexander.

smailmilak · ‎08-15-2013

Hello Xander,

I have again a few questions for you.

First one is if it's possible to deauthenticate the user without terminating the session (logoff)?

For exampe, user has logged in the Captive Portal, after some time he wants to logout, so he can login later again.

Using logoff the session is being terminated and maybe some CPE will not detect that and will not send DHCP discovery again, or the users has to reconnect the cable again. That is why we would like to set the authentication status to "unauthenticated" again.

Second questions is about VRF. Is it possible to put the user in a VRF with help of RADIUS attributes?

We have this setup on Ericsson Redback 800. While testing the Cisco BNG I used "vrf forwarding" on the access interface because it's a L3 interface, and user was automatically in the VRF because of the access interface.

xthuijs · ‎08-15-2013

hey there!

yes you can, you can send an account log off no problem! this just moves the state of the subscriber to "unauthenticated" but doesn't remove the services (by default) or release the binding.

It does trigger an event in the policy that you can use to apply some other services; eg an ACL, HTTP-R, low qos stuff like that.

Yup, you can put a user in a vrf via radius also. VRF xfer via COA is not possible however.

the atts are avpairs:

ipv4:ipv4-unnumbered and ipv4:vrf-id=...

cheers

xander

smailmilak · ‎08-15-2013

Hmm, I used this line:

coa_w32.exe -n 10.100.11.6 -p 1700 -k BNGCOA -1 44,0000006c -2 26,9,1,subscriber:command=account-logoff

and it terminated my session (it disappeared on BNG), after 30-60 seconds it appeared again because the CPE (Linksys Wifi Router) reconnected again.

Is there an another attribute that I can use to set authentication status to "unauthenticated"?

And regarding VRF. I was using "vrf forwaring" under the access interface. Is this needed?

You said that it's possible to put the user in corresponding VRF with vrf attribute. What kind of config do I need for that?

Something like this one:

interface Bundle-Ether992.3127

description # IPSUB #

ipv4 point-to-point

ipv4 unnumbered Loopback30

NO VRF INTERNET HERE

service-policy type control subscriber IP_SUB_PMAP

encapsulation dot1q 3127

ipsubscriber ipv4 l2-connected

initiator dhcp

initiator unclassified-source

interface Loopback30

vrf Internet

ipv4 address 10.100.30.1 255.255.255.0

dynamic-template

type service HTTP_FORCE_REDIRECT

service-policy type pbr HTTP_REDIRECT_PBR

!

type ipsubscriber IPSUB_TEMPLATE

vrf Internet

accounting aaa list default type session

ipv4 unnumbered Loopback30

I think that it is the same with PPPoE?

btw. customer has deceided to buy two ASR9006 for BNG usage

Vladimir Pisarenko · ‎08-22-2013

Hello!

I am trying to set up BNG on ASR90001 SW version 4.3.1.

It's my config:

hostname ISG-10G

telnet vrf Mgmt ipv4 server max-servers 10

radius source-interface TenGigE0/0/2/0.11 vrf default

radius-server host 10.101.10.2 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxxxxxxxx

!

aaa server radius dynamic-author

ignore server-key

client 10.101.10.2 vrf default

server-key 7 xxxxxxx

!

aaa attribute format LOGIN

remote-id plus circuit-id

!

aaa radius attribute nas-port format e VVVVVVVVUUUUUUUUUUUUUUUUUUUUUUUU

aaa accounting subscriber default group radius

aaa authorization subscriber default group radius

aaa authentication subscriber default group radius

cdp

vrf Mgmt

!

line console

exec-timeout 0 0

length 0

!

line default

exec-timeout 10000 0

absolute-timeout 10000

!

dhcp ipv4

profile DHCP proxy

helper-address vrf default 10.100.100.1 giaddr 192.168.1.1

relay information option

relay information policy keep

relay information option allow-untrusted

!

interface TenGigE0/0/2/0.120 proxy profile DHCP

!

interface Loopback100

ipv4 address 192.168.1.1 255.255.255.0

!

interface MgmtEth0/RSP0/CPU0/0

cdp

vrf Mgmt

ipv4 address 10.1.10.175 255.255.255.0

!

interface MgmtEth0/RSP0/CPU0/1

!

interface TenGigE0/0/2/0

cdp

mac-address 2.fc73.101b

!

interface TenGigE0/0/2/0.11

ipv4 address 10.11.11.10 255.255.255.224

encapsulation dot1q 11

!

interface TenGigE0/0/2/0.120

ipv4 point-to-point

ipv4 unnumbered Loopback100

service-policy type control subscriber ISG

encapsulation dot1q 120

ipsubscriber ipv4 l2-connected

initiator dhcp

!

interface TenGigE0/0/2/1

shutdown

!

interface TenGigE0/0/2/2

shutdown

!

interface TenGigE0/0/2/3

shutdown

!

router static

address-family ipv4 unicast

0.0.0.0/0 10.11.11.1

!

vrf Mgmt

address-family ipv4 unicast

0.0.0.0/0 10.1.1.254

!

router ospf 1

redistribute connected

area 1

interface TenGigE0/0/2/0.11

!

dynamic-template

type ipsubscriber FTTX

accounting aaa list default type session

ipv4 unnumbered Loopback100

!

class-map type control subscriber match-any IPoE

match protocol dhcpv4

end-class-map

!

policy-map type control subscriber ISG

event session-start match-first

class type control subscriber IPoE do-until-failure

10 activate dynamic-template FTTX

20 authorize aaa list default format LOGIN password ISG

!

end-policy-map

!

end

I use DHCP option82.

All works good till authorization. Access reqest goes to RADIUS, it answers with accept or reject and I don't see answer on ASR. I sniffed trafic on switch's port in wich ASR is connected and I see packets from RADIUS, but:

sh radius

Thu Aug 22 15:10:30.678 MEST

Global dead time: 0 minute(s)

Number of Servers:1

Server: 10.101.10.2/1812/1813 is UP

Total Deadtime: 0s Last Deadtime: 0s

Timeout: 5 sec, Retransmit limit: 3

Quarantined: No

Authentication:

33 requests, 0 pending, 99 retransmits

0 accepts, 0 rejects, 0 challenges

132 timeouts, 0 bad responses, 0 bad authenticators

0 unknown types, 0 dropped, 0 ms latest rtt

Throttled: 0 transactions, 0 timeout, 0 failures

Estimated Throttled Access Transactions: 0

Maximum Throttled Access Transactions: 0

DEBUG:

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Received request [handle 0x504f4370] with server-group : default

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Building header for the Authorization request

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: radius_get_prfrd_srvr_info: Retrive Preferred Server info from attr list

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: radius_get_prfrd_srvr_info: Preferred server handle is set to NULL

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: (handle_nas_req) Couldn't retrive the preferred server info

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Trying to find the first radius server to use.

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Created transaction_id (69000030) for server group 6F000000

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: Picking the rad id 253:1 sockfd 0x504D8E6C

LC/0/0/CPU0:Aug 22 15:15:23.408 : radiusd[315]: rctx 0x50466d00 added successfully

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Send Access-Request to 10.101.10.2:1812 id 253, len 409

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: authenticator 20 DE 84 08 7E DC CC 1B - DF 23 C2 1A 2D B9 8F B1

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Cisco [26] 41

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Cisco AVpair [1] 35 client-mac-address=1cc1.dea0.2760

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Unknown [26] 24 Unsupported[2] 18

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Cisco [26] 38

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Cisco AVpair [1] 32 remote-id-tag=0006f4ec38aa2636

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Unknown [26] 20 Unsupported[1] 14

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Cisco [26] 35

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Cisco AVpair [1] 29 circuit-id-tag=00040078000a

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Vendor,Cisco [26] 34

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Cisco AVpair [1] 28 dhcp-vendor-class=MSFT 5.0

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: Acct-Session-Id [44] 10 040000d3

LC/0/0/CPU0:Aug 22 15:15:23.409 : radiusd[315]: RADIUS: NAS-Port [5] 6 2013265920

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: NAS-Port-Id [87] 14 130/10/0/120

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Vendor,Cisco [26] 20

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: cisco-nas-port [2] 14 130/10/0/120

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: User-Name [1] 31 0006f4ec38aa2636:00040078000a

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Service-Type [6] 6 Outbound[5]

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: User-Password [2] 18 *

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Vendor,Cisco [26] 33

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Cisco AVpair [1] 27 parent-if-handle=67110080

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: NAS-Port-Type [61] 6 IPOEOVLAN[40]

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Called-Station-Id [30] 14 00040078000a

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Calling-Station-Id [31] 18 0006f4ec38aa2636

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Event-Timestamp [55] 6 1377173723

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: Nas-Identifier [32] 9 BNG

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: RADIUS: NAS-IP-Address [4] 6 10.11.11.10

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: Got global deadtime 0

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: Using global deadtime = 0 sec

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: Start timer thread rad_ident 253 remote_port 1812 remote_addr 0xa650a02, socket 1347260012 rctx 0x50466d00

LC/0/0/CPU0:Aug 22 15:15:23.410 : radiusd[315]: Successfully sent packet and started timeout handler for rctx 0x50466d00

I.e. ASR drops packets from RADIUS, but I don't know how to hix it. Please help me to resolve this problem!!

xthuijs · ‎08-22-2013

Hi Andrew, you have this :

interface TenGigE0/0/2/0.120

ipv4 point-to-point

ipv4 unnumbered Loopback100

service-policy type control subscriber ISG

that is LC based subscribers which we dont support yet.

you need to move it to a bundle configuration something like

interface TenGigE0/0/2/0

bundle id 100 mode on

!disables lacp single member

int bundle-e100

int bundle-e100.120

ipv4 point-to-point

ipv4 unnumbered Loopback100

service-policy type control subscriber ISG

xander

Vladimir Pisarenko · ‎08-22-2013

Xander thanks!!

You really helped me! It works!

xthuijs · ‎08-22-2013

Awesome!! thanks for letting me know Andrew!!

xander

Vladimir Pisarenko · ‎08-23-2013

Hello Xander! I need your help again.

Now RADIUS give me accept, but there is a problem with forwarding DHCP discover to DHCP server.

dhcp ipv4

profile DHCP proxy

helper-address vrf default 10.100.100.1 giaddr 192.168.1.1

relay information option

relay information policy keep

relay information option allow-untrusted

!

interface Bundle-Ether4.120 proxy profile DHCP

DHCP server is routable, I can ping it. But I don't see any packets from BNG.

192.168.1.1 belongs to Loopback100

This I see in debug:

RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Send Access-Request to 10.101.10.2:1812 id 101, len 398

RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: authenticator 94 2C AF 79 53 20 7C 46 - 22 7A 3C 01 87 CF F3 AB

RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 41

RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 24

RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 38

RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 20

RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Acct-Session-Id [44] 10 0000045d

RP/0/RSP0/CPU0:Aug 23 09:47:39.485 : radiusd[1100]: RADIUS: Vendor-Specific [26] 34

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: NAS-Port [5] 6 2013265920

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Vendor-Specific [26] 17

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: User-Name [1] 31 0006f4ec38aa2636:00040078000a

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: NAS-Port-Id [87] 11 0/0/4/120

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Service-Type [6] 6 Outbound[5]

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: User-Password [2] 18 *

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: NAS-Port-Type [61] 6 VIRTUAL_IPOEOVLAN[43]

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Vendor-Specific [26] 28

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Calling-Station-Id [31] 18 0006f4ec38aa2636

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Called-Station-Id [30] 14 00040078000a

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Event-Timestamp [55] 6 1377240459

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: Nas-Identifier [32] 9 BNG

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: RADIUS: NAS-IP-Address [4] 6 217.19.208.40

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: Got global deadtime 0

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: Start timer thread rad_ident 101 remote_port 1812 remote_addr 0xa650a02, socket 1342478092 rctx 0x501c6f38

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: Using global deadtime = 0 sec

RP/0/RSP0/CPU0:Aug 23 09:47:39.486 : radiusd[1100]: Successfully sent packet and started timeout handler for rctx 0x501c6f38

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: rctx found is 0x501c6f38

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: Radius packet decryption complete with rc = 0

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Received from id 101 10.101.10.2:1812, Access-Accept, len 713

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: authenticator A0 48 D8 80 89 9A 5E 59 - 93 02 3C 0A B5 4A 59 60

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 33

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 43

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 43

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 58

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 35

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 44

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 30

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 36

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Vendor-Specific [26] 31

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: RADIUS: Service-Type [6] 6 Outbound[5]

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: Freeing server group transaction_id (5F000011)

RP/0/RSP0/CPU0:Aug 23 09:47:39.495 : radiusd[1100]: pack_length = 713 radius_len = 713

RP/0/RSP0/CPU0:Aug 23 09:47:39.496 : radiusd[1100]: rad_nas_reply_to_client: Received response from id : 101,packet type 2

RP/0/RSP0/CPU0:Aug 23 09:47:39.496 : radiusd[1100]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS

RP/0/RSP0/CPU0:Aug 23 09:47:39.496 : radiusd[1100]: (rad_nas_reply_to_client) Successfully stored the preferred server info

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1984: Session create response received from DPM: sub_label 0x0 (0)

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1225: Process packet event, client mode: PROXY

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1904: Init handler called for chaddr 1cc1.dea0.2760 with event DROP-PACKET

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1961: DISCOVER from chaddr 1cc1.dea0.2760 in proxy mode dropped

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_process_event: Init handler success

And:

sh dhcp ipv4 proxy statistics

Fri Aug 23 10:20:26.980 MEST

VRF | RX | TX | DR |

-------------------------------------------------------------------------------------------

default | 91 | 0 | 91 |

**nVSatellite | 0 | 0 | 0 |

Mgmt | 0 | 0 | 0 |

I don't understand why router drops discovers....

And I also tried to use relay profile:

dhcp ipv4

profile DHCP relay

helper-address vrf default 10.100.100.1

relay information option

relay information policy keep

relay information option allow-untrusted

!

interface Bundle-Ether4.120 relay profile DHCP

interface Bundle-Ether4.120

ipv4 point-to-point

ipv4 unnumbered Loopback100

service-policy type control subscriber ISG

encapsulation dot1q 120

ipsubscriber ipv4 l2-connected

initiator dhcp

policy-map type control subscriber ISG

event session-start match-first

class type control subscriber IPoE do-until-failure

10 activate dynamic-template FTTX

20 authorize aaa list default format LOGIN password ISG

!

event authorization-failure match-first

class type control subscriber IPoE do-until-failure

10 activate dynamic-template HTTP_FORCE_REDIRECT

!

event timer-expiry match-first

class type control subscriber AUTH_TIMER_CM do-until-failure

10 disconnect

!

end-policy-map

In this case I get IP from DHCP server, but I don't see requests to RADIUS...

Don't know what to do without your help....

Adiyudha Aji · ‎08-23-2013

Hi there,

I've experienced this before, from my prespective, DHCP process won't work until radius give access-accept message.

try "sh dhcp ipv4 proxy binding" to make sure that you already get the dhcp address for subs, also "show radius authentication" for radius session

if radius already give access-accept, might be something happen from dhcp service itself, or any policy between BNG and dhcp server, seems the configuration are quite similar with mine.

try also these debugs to verify packet flow:

debug radius authentication

debug dhcp ipv4 proxy events

debug dhcp ipv4 errors

Vladimir Pisarenko · ‎08-23-2013

As you can see brom my above post - radius give me accept. But discover is not forwarded to DHCP server and in bedug I see this:

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1904: Init handler called for chaddr 1cc1.dea0.2760 with event DROP-PACKET

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: dhcpd_proxy_os_inc_stat_multi stats ptr not null for vrf 60000000 matches l3intf

RP/0/RSP0/CPU0:Aug 23 09:47:39.497 : dhcpd[1068]: DHCPD: TP1961: DISCOVER from chaddr 1cc1.dea0.2760 in proxy mode dropped

Also from debug commands that you have requested I see this:

RP/0/RSP0/CPU0:Aug 23 13:15:29.683 : dhcpd[1068]: DHCPD ERROR: TP2468: rib route delete failed, null ifhandle or IPv4 address

But I think it's because there no leases in DHCP pool.

Result of "sh dhcp ipv4 proxy binding" is empty

show radius authentication

Fri Aug 23 13:18:05.899 MEST

Server: 10.101.10.2, port: 1812/

144 requests, 0 pending, 0 retransmits

144 accepts, 0 rejects, 0 challenges

0 timeouts, 0 bad responses, 0 bad authenticators

0 unknown types, 0 dropped, 8 ms latest rtt

Throttled: 0 transactions, 0 timeout, 0 failures

Estimated Throttled Access Transactions: 0

Maximum Throttled Access Transactions: 0

So, in debug I see "event DROP-PACKET" and don't know how to resolve this.

When I removed "service-policy type control subscriber ISG" from interface - I got IP from DHCP.

May be something is wrong in service-policy or dynamic-template......

policy-map type control subscriber ISG

event session-start match-first

class type control subscriber IPoE do-until-failure

10 activate dynamic-template FTTX

20 authorize aaa list default format LOGIN password ISG

!

event authorization-failure match-first

class type control subscriber IPoE do-until-failure

10 activate dynamic-template HTTP_FORCE_REDIRECT

!

event timer-expiry match-first

class type control subscriber AUTH_TIMER_CM do-until-failure

10 disconnect

!

end-policy-map

dynamic-template

type service HTTP_FORCE_REDIRECT

service-policy type pbr HTTP_REDIRECT_PBR

!

type ipsubscriber FTTX

ipv4 unnumbered Loopback100

!

Adiyudha Aji · ‎08-23-2013

which version you use for bng ? traceback from beginning, i asssume you already install bng license and configure the license into approriate linecard.

try to remove this command first on policy-map and dynamic template and see the result :

event authorization-failure match-first

class type control subscriber IPoE do-until-failure

10 activate dynamic-template HTTP_FORCE_REDIRECT

!

event timer-expiry match-first

class type control subscriber AUTH_TIMER_CM do-until-failure

10 disconnect

!

type service HTTP_FORCE_REDIRECT

service-policy type pbr HTTP_REDIRECT_PBR

!

and capture the output of "show subscriber session all"

btw, have you also sniff the packet on dhcp server itself ??