cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1514
Views
0
Helpful
1
Replies

PPPOE + Radius : Assigning VRF to CPE

Hello,

 

I have set up a lab with a 2900 ISR as PPPOE server, an 1841 as PPPOE client and Microsoft NPS is used for RADIUS.

 

This works without VRFs. My idea is to put the CPE router in a VRF with the help of CiscoAVPair attributes coming from the RADIUS server.

 

When I add these to the RADIUS attributes:

"lcp:interface-config#1=ip vrf forwarding internet\n ip unnumbered loopback999"

 

The CPE goes up and down. The PPP authentication log shows an authentication failure but the NPS server says the authentication was ok.

 

CPE debug output:

 

*Apr 13 10:53:39.110: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 13 10:53:39.110: Vi2 CHAP: I CHALLENGE id 1 len 29 from "z34-2911"
*Apr 13 10:53:39.114: Vi2 CHAP: Using hostname from interface CHAP
*Apr 13 10:53:39.114: Vi2 CHAP: Using password from interface CHAP
*Apr 13 10:53:39.114: Vi2 CHAP: O RESPONSE id 1 len 31 from "pppoe-user"
*Apr 13 10:53:39.126: Vi2 CHAP: I FAILURE id 1 len 26 msg is "Authentication failure"
*Apr 13 10:53:39.130: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
*Apr 13 10:53:39.134: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

 

The 2900, gets all the radius attrbutes:

 

Apr 13 11:55:49.530: VT[Vi2.1]:Applying config commands on process "VTEMPLATE Background Mgr" (292)
Apr 13 11:55:49.530: VT[Vi2.1]:ip vrf forwarding internet
Apr 13 11:55:49.530: VT[Vi2.1]:ip unnumbered loopback999"
Apr 13 11:55:49.530: VT[Vi2.1]:end

 

 

This is my test configuration of the 2900 router:

 


aaa new-model
!
!
aaa group server radius SARUMAN
 server 10.34.10.41 auth-port 1812 acct-port 1813
!
aaa authentication login default local-case
aaa authentication ppp CPE_USER group SARUMAN
aaa authorization console
aaa authorization exec default local
aaa authorization network default group SARUMAN
aaa accounting exec default
 action-type start-stop
 group SARUMAN
!
aaa accounting system default
 action-type start-stop
 group SARUMAN
!
!
!
!
!
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
no ipv6 cef
ip source-route
ip cef
!
!
ip vrf LAN
!
ip vrf internet
 rd 65000:1
 route-target export 1:1
 route-target import 1:1
!
!
vpdn enable

!
bba-group pppoe LAB
 virtual-template 1
 sessions per-mac limit 2
 sessions per-vlan limit 10
!
!
interface Loopback1
 ip address 200.200.200.200 255.255.255.255
!
interface Loopback999
 ip vrf forwarding internet
 ip address 192.168.255.254 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 10.34.10.220 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 pppoe enable group LAB
!
interface GigabitEthernet0/2
 ip vrf forwarding internet
 ip address dhcp
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered Loopback1
 no peer default ip address
 ppp authentication chap pap ms-chap-v2 CPE_USER
!

ip route 0.0.0.0 0.0.0.0 10.34.10.1
ip route vrf internet 0.0.0.0 0.0.0.0 GigabitEthernet0/2 dhcp
!
ip radius source-interface GigabitEthernet0/0
!
!
radius-server host 10.34.10.41 auth-port 1812 acct-port 1813 key opendiedeur
radius-server vsa send authentication
!

 

 

----

 

I have seen several similar configs but most of them use another RADIUS server. I do not know if this makes a difference.

 

 

 

1 Accepted Solution

Accepted Solutions

I found the problem: Micrsoft NPS sends the Framed-IP-Address before the VRF is applied, resulting in this problem. A test with FreeRadius where the Framed-IP-Address is sent as last attribute makes it work.

 

NPS does not have any other attribute than the static IP address in the Dial-Up settings of the user so this disqualifies NPS for me.

 

Regards,

 

Marcel.

View solution in original post

1 Reply 1

I found the problem: Micrsoft NPS sends the Framed-IP-Address before the VRF is applied, resulting in this problem. A test with FreeRadius where the Framed-IP-Address is sent as last attribute makes it work.

 

NPS does not have any other attribute than the static IP address in the Dial-Up settings of the user so this disqualifies NPS for me.

 

Regards,

 

Marcel.

Review Cisco Networking for a $25 gift card