Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1487
Views
0
Helpful
1
Replies

PPPOE + Radius : Assigning VRF to CPE

Go to solution
Marcel Tempelman
Level 3
Level 3

‎04-13-2018 04:17 AM - edited ‎03-08-2019 02:38 PM

Hello,

 

I have set up a lab with a 2900 ISR as PPPOE server, an 1841 as PPPOE client and Microsoft NPS is used for RADIUS.

 

This works without VRFs. My idea is to put the CPE router in a VRF with the help of CiscoAVPair attributes coming from the RADIUS server.

 

When I add these to the RADIUS attributes:

"lcp:interface-config#1=ip vrf forwarding internet\n ip unnumbered loopback999"

 

The CPE goes up and down. The PPP authentication log shows an authentication failure but the NPS server says the authentication was ok.

 

CPE debug output:

 

*Apr 13 10:53:39.110: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 13 10:53:39.110: Vi2 CHAP: I CHALLENGE id 1 len 29 from "z34-2911"
*Apr 13 10:53:39.114: Vi2 CHAP: Using hostname from interface CHAP
*Apr 13 10:53:39.114: Vi2 CHAP: Using password from interface CHAP
*Apr 13 10:53:39.114: Vi2 CHAP: O RESPONSE id 1 len 31 from "pppoe-user"
*Apr 13 10:53:39.126: Vi2 CHAP: I FAILURE id 1 len 26 msg is "Authentication failure"
*Apr 13 10:53:39.130: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
*Apr 13 10:53:39.134: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

 

The 2900, gets all the radius attrbutes:

 

Apr 13 11:55:49.530: VT[Vi2.1]:Applying config commands on process "VTEMPLATE Background Mgr" (292)
Apr 13 11:55:49.530: VT[Vi2.1]:ip vrf forwarding internet
Apr 13 11:55:49.530: VT[Vi2.1]:ip unnumbered loopback999"
Apr 13 11:55:49.530: VT[Vi2.1]:end

 

 

This is my test configuration of the 2900 router:

 


aaa new-model
!
!
aaa group server radius SARUMAN
 server 10.34.10.41 auth-port 1812 acct-port 1813
!
aaa authentication login default local-case
aaa authentication ppp CPE_USER group SARUMAN
aaa authorization console
aaa authorization exec default local
aaa authorization network default group SARUMAN
aaa accounting exec default
 action-type start-stop
 group SARUMAN
!
aaa accounting system default
 action-type start-stop
 group SARUMAN
!
!
!
!
!
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
no ipv6 cef
ip source-route
ip cef
!
!
ip vrf LAN
!
ip vrf internet
 rd 65000:1
 route-target export 1:1
 route-target import 1:1
!
!
vpdn enable

!
bba-group pppoe LAB
 virtual-template 1
 sessions per-mac limit 2
 sessions per-vlan limit 10
!
!
interface Loopback1
 ip address 200.200.200.200 255.255.255.255
!
interface Loopback999
 ip vrf forwarding internet
 ip address 192.168.255.254 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 10.34.10.220 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 pppoe enable group LAB
!
interface GigabitEthernet0/2
 ip vrf forwarding internet
 ip address dhcp
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered Loopback1
 no peer default ip address
 ppp authentication chap pap ms-chap-v2 CPE_USER
!

ip route 0.0.0.0 0.0.0.0 10.34.10.1
ip route vrf internet 0.0.0.0 0.0.0.0 GigabitEthernet0/2 dhcp
!
ip radius source-interface GigabitEthernet0/0
!
!
radius-server host 10.34.10.41 auth-port 1812 acct-port 1813 key opendiedeur
radius-server vsa send authentication
!

 

 

----

 

I have seen several similar configs but most of them use another RADIUS server. I do not know if this makes a difference.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcel Tempelman
Level 3
Level 3

‎04-16-2018 12:12 AM

I found the problem: Micrsoft NPS sends the Framed-IP-Address before the VRF is applied, resulting in this problem. A test with FreeRadius where the Framed-IP-Address is sent as last attribute makes it work.

 

NPS does not have any other attribute than the static IP address in the Dial-Up settings of the user so this disqualifies NPS for me.

 

Regards,

 

Marcel.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marcel Tempelman
Level 3
Level 3

‎04-16-2018 12:12 AM

I found the problem: Micrsoft NPS sends the Framed-IP-Address before the VRF is applied, resulting in this problem. A test with FreeRadius where the Framed-IP-Address is sent as last attribute makes it work.

 

NPS does not have any other attribute than the static IP address in the Dial-Up settings of the user so this disqualifies NPS for me.

 

Regards,

 

Marcel.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card