04-13-2018 04:17 AM - edited 03-08-2019 02:38 PM
Hello,
I have set up a lab with a 2900 ISR as PPPOE server, an 1841 as PPPOE client and Microsoft NPS is used for RADIUS.
This works without VRFs. My idea is to put the CPE router in a VRF with the help of CiscoAVPair attributes coming from the RADIUS server.
When I add these to the RADIUS attributes:
"lcp:interface-config#1=ip vrf forwarding internet\n ip unnumbered loopback999"
The CPE goes up and down. The PPP authentication log shows an authentication failure but the NPS server says the authentication was ok.
CPE debug output:
*Apr 13 10:53:39.110: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 13 10:53:39.110: Vi2 CHAP: I CHALLENGE id 1 len 29 from "z34-2911"
*Apr 13 10:53:39.114: Vi2 CHAP: Using hostname from interface CHAP
*Apr 13 10:53:39.114: Vi2 CHAP: Using password from interface CHAP
*Apr 13 10:53:39.114: Vi2 CHAP: O RESPONSE id 1 len 31 from "pppoe-user"
*Apr 13 10:53:39.126: Vi2 CHAP: I FAILURE id 1 len 26 msg is "Authentication failure"
*Apr 13 10:53:39.130: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
*Apr 13 10:53:39.134: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
The 2900, gets all the radius attrbutes:
Apr 13 11:55:49.530: VT[Vi2.1]:Applying config commands on process "VTEMPLATE Background Mgr" (292)
Apr 13 11:55:49.530: VT[Vi2.1]:ip vrf forwarding internet
Apr 13 11:55:49.530: VT[Vi2.1]:ip unnumbered loopback999"
Apr 13 11:55:49.530: VT[Vi2.1]:end
This is my test configuration of the 2900 router:
aaa new-model
!
!
aaa group server radius SARUMAN
server 10.34.10.41 auth-port 1812 acct-port 1813
!
aaa authentication login default local-case
aaa authentication ppp CPE_USER group SARUMAN
aaa authorization console
aaa authorization exec default local
aaa authorization network default group SARUMAN
aaa accounting exec default
action-type start-stop
group SARUMAN
!
aaa accounting system default
action-type start-stop
group SARUMAN
!
!
!
!
!
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
no ipv6 cef
ip source-route
ip cef
!
!
ip vrf LAN
!
ip vrf internet
rd 65000:1
route-target export 1:1
route-target import 1:1
!
!
vpdn enable
!
bba-group pppoe LAB
virtual-template 1
sessions per-mac limit 2
sessions per-vlan limit 10
!
!
interface Loopback1
ip address 200.200.200.200 255.255.255.255
!
interface Loopback999
ip vrf forwarding internet
ip address 192.168.255.254 255.255.255.255
!
interface GigabitEthernet0/0
ip address 10.34.10.220 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group LAB
!
interface GigabitEthernet0/2
ip vrf forwarding internet
ip address dhcp
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback1
no peer default ip address
ppp authentication chap pap ms-chap-v2 CPE_USER
!
ip route 0.0.0.0 0.0.0.0 10.34.10.1
ip route vrf internet 0.0.0.0 0.0.0.0 GigabitEthernet0/2 dhcp
!
ip radius source-interface GigabitEthernet0/0
!
!
radius-server host 10.34.10.41 auth-port 1812 acct-port 1813 key opendiedeur
radius-server vsa send authentication
!
----
I have seen several similar configs but most of them use another RADIUS server. I do not know if this makes a difference.
Solved! Go to Solution.
04-16-2018 12:12 AM
I found the problem: Micrsoft NPS sends the Framed-IP-Address before the VRF is applied, resulting in this problem. A test with FreeRadius where the Framed-IP-Address is sent as last attribute makes it work.
NPS does not have any other attribute than the static IP address in the Dial-Up settings of the user so this disqualifies NPS for me.
Regards,
Marcel.
04-16-2018 12:12 AM
I found the problem: Micrsoft NPS sends the Framed-IP-Address before the VRF is applied, resulting in this problem. A test with FreeRadius where the Framed-IP-Address is sent as last attribute makes it work.
NPS does not have any other attribute than the static IP address in the Dial-Up settings of the user so this disqualifies NPS for me.
Regards,
Marcel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide