IOS to IOS-XR - radius attribute command translation - Page 2

Garry Peirce · ‎11-29-2012

Coming from IOS, looking to implement the following RADIUS commands under IOS-XR and have not found how to do so yet.

Anyone know?

radius-server attribute 6 on-for-login-auth

radius-server attribute 32 include-in-access-req

TIA,

thushar362 · ‎01-11-2013

Hi Alexander Thuijs,

Thanks for your reply. One more question, In ASR 9k , normally radius accounting records are sending to an extrenal radius Server, right ?. Has the router any options to save those records in the router itself ? Has it any ability to customize the attrributes of those records even though they are sending to radius server ??

xthuijs · ‎01-11-2013

you have the ability to do attirubte templates, but this is more BNG specific.

attrribute templates are applied to radius-server groups and these groups are then applied per method list.

xander

thushar362 · ‎01-11-2013

Hi Alexander Thuijs,

I thought radius Server only has the ability to custamize and store accounting records ? Can we customize account records from ASR 9k ? If So, Can I get the commands or links for configruring and storing custom account records in ASR 9k ? Please give me a granular answer.

xthuijs · ‎01-12-2013

You can do that within XR also. You define an attribute list that you want to filter out of the request or accept (so in either direction, defined separately).

A "granular" example:

radius-server attribute list ATTR_LIST

attribute

attribute vendor-specific <…>

!

aaa group server

{ authentication | authorization | accounting }

{ reply | request } { accept | reject } ATTR_LIST

!

xander

thushar362 · ‎01-14-2013

Hi Alexander Thuijs,

Apart from this example, Could you please mention the XR configuration for creating the attribute list of radius or any command/config reference guide or any documents for creating the same. Hope your precious response.

Umpri · ‎02-21-2013

Hello Xander! how are you...

Im here again I have some question base on your answer to my previous ones.

First, in our network right now the BRAS both the 10K and the 1K, are configured with nas-port format D to send the following access-request packet to the Radius

Packet dump: *** Received from 200.3.62.253 port 63618 ....

Framed-Protocol = PPP

User-Name = "X"

User-Password = X

Service-Type = Framed-User

NAS-IP-Address = 200.3.62.253

Acct-Session-Id = "7/0/0/153.1503_04E4EB3D"

NAS-Port-Type = Ethernet

NAS-Port = 1879676383

NAS-Port-Id = "7/0/0/153.1503"

The systems behind the Radius are doing computations with nas-port, base on nas-port-type too.

So far no problem.

Next quarter the 9K will be working in our network, so I guess it will be necessary some changes in my systems.

So far I understood that format e doesnt describe physical port if you have configured bundle to terminate the sessions, but the informations it gives in the ex SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU bits PPPP is the xth bundle ether configured, so that I should adapt all my system to manage this new information for validation. That OK?

Second, suppose I want to avoid any kind of modifications in the systems, I mean masks and logic changes to interpret the informations to validate the subscriber as we do right now, I wonder if exist some clue to have this mask for the nas-port

SSAPPPPPQQQQQQQQQQQQVVVVVVVVVVVV where PPPPP gives me the physical port considering the BRAS 9K will have 24 port 10GE PLIM. Where also Q and V are bits to inform outer vlans and inner vlans.

Besides I wonder if I decide to use the nas-port-id instead of nas-port as example shows in the guide:

An example of a CLI command to construct the NAS-Port-ID from just the BNG port information

aaa attribute format NAS-PORT-ID-FORMAT666

format-string “eth %s/%s/%s:%s.%s ” phy-slot phy-subslot phy-port outer-vlan-Id inner-vlan-id

Here a question, phy port, is the bundle information it will send? or in this case are really physical information. Because... you know what.. this could be an option for us. I mean in case it gives physical port.

Have you understood all this stuff we are doubting, and trying to reduce impacts?

Regards,

Javier

@umpri

PABLO TOPOL · ‎02-01-2013

Hi everybody, I'm attaching a log from our radius server. Its a real autentication request from a BRAS [10K8] with "d" format.

The question is: How we can mantain the same NAS-Port value using "e" radius format?

We are thinking on "e" format cause we are purchasing LCs with 24 ports for A9K.

Thanks.

Packet dump: *** Received from 200.x.x.x port 63618 ....

Framed-Protocol = PPP

User-Name = "X"

User-Password = X

Service-Type = Framed-User

NAS-IP-Address = 200.x.x.x

Acct-Session-Id = "7/0/0/153.1503_04E4EB3D"

NAS-Port-Type = Ethernet

NAS-Port = 1879676383

NAS-Port-Id = "7/0/0/153.1503"

--------------------------------------------------------------------------------

slot(4), module(1), port(3), inner vlan id(12), vlan id(12)

Binary representation of NAS-Port=1879676383:

0111 0 000 000010011001 010111011111

SSSS M PPP QQQQQQQQQQQQ VVVVVVVVVVVV

S=7 (0111)

M=0 (0)

P=0 (000)

Q=153 (000010011001)

V=1503 (010111011111)

-----------------------------------------

xthuijs · ‎02-01-2013

Pablo,

check this reference that may help:

https://supportforums.cisco.com/docs/DOC-23170#NasPortID

and another example:

! Nas-port computation for PPPoE(32) and if not pppoe then follow the

! global (non typed) logic

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU

xander

shiras k a · ‎02-18-2013

Hi Xander,

May I know which type of algorithm(eg: round-robin) is used in XR to access a set of RADIUS servers

xthuijs · ‎02-18-2013

It is either in failover mode (the IOS default so to speak), or you can configure the least-outstanding methodology with a configurable batch size.

cheers

xander

shiras k a · ‎02-18-2013

Hi Xander,

What I meant to ask is if there is a list of radius-servers and a request come then we want to configure the first server will be used as primary server for the first request, the second server as primary for the second request, and so on. By default , how the radius servers (from a list of servers) processes the requests. Is there any commands availabl in XR for selecting the access method of servers ?

xthuijs · ‎02-18-2013

Yes I got that :), what you are describing is round-robin, which is a lame method and not preferred.

You can't configure that method in XR.

xander

shiras k a · ‎02-19-2013

Hi Xander,

Thanks for your reply. May I know which is the mehod XR following? Pls give me a response.

smailmilak · ‎03-18-2014

Hi Xander, is there a way to get the delegated prefix in the RADIUS Start messages? We get it only after session is terminated, in the stop messages. We have the Framed-prefix in the start messages, but not delegated which is also needed.

Pool for framed and deleged prefix is on the BNG and under dynamic-tempalte. Radius is not sending those attriubtes to BNG.