Mailing List Archive

Do these customers user different Virtual-Templates? If so, I believe you
can assign the radius information in the Virtual-Template, overriding those
set at the global level.



Frank



From: cisco-bba-bounces@puck.nether.net
[mailto:cisco-bba-bounces@puck.nether.net] On Behalf Of Paul Cole
Sent: Thursday, October 08, 2009 5:12 AM
To: cisco-bba@puck.nether.net
Subject: [cisco-bba] Help configuring 2 radius servers in PPPoe



Hi,



I have a 7206VXR router connected to two radius servers and sending radius
attributes to those servers.



I have already set up the conf as this:



aaa group server radius test

Server aaaa.aaaa.aaaa.aaaa auth-port 1812 acct-port 1813

Server bbbb.bbbb.bbbb.bbbb auth-port 1812 acct-port 1813



And then



Radius-server host aaaa.aaaa.aaaa.aaaa auth-port 1812 acct-port 1813

Radius-server host bbbb.bbbb.bbbb.bbbb auth-port 1812 acct-port 1813



Radius-server key key_for_aaaa

Radius-server key key_for_bbbb



Radius-server vsa send accounting

Radius-server vsa send authentication



Is there any way to link each radius server (aaaa or bbbb) with its key (how
does it work ? does the key being sent to both radius aaaa and bbbb and then
radius checks against its own key ?



Also, I don't want to send to both of them (radius aaa will be for a
specific category of users in a specific vlan and the same goes to radius
bbbb) the same accounting infos as radius aaaa will be receiving different
set of infos than radius bbbb.



How can I achieve this ? Is there any way to send some accounting infos to
radius aaaa only for users in vlan aaaa and accounting infos to radius bbbb
for users in vlan bbbb ?



Thanks for your help.



____________________________________________________________________________
____

Paul

Hi Frank,



Yes, we have different virtual templates.



I’ve tried this set up but can’t get it to work so far :



aaa group server radius eti

server 192.168.0.190 auth-port 1812 acct-port 1813

!

aaa group server radius billing

server 192.168.0.200 auth-port 1812 acct-port 1813

!

aaa authentication login local_auth local

aaa authentication ppp default none

aaa authentication ppp eti group eti

aaa authentication ppp billing group billing

aaa authorization exec default none

aaa authorization exec eti group eti

aaa authorization exec billing group billing

aaa authorization network default none

aaa authorization network eti group eti

aaa authorization network billing group billing

aaa accounting delay-start

aaa accounting update periodic 5

aaa accounting exec eti start-stop group eti

aaa accounting exec billing start-stop group billing

aaa accounting network eti start-stop group eti

aaa accounting network billing start-stop group billing



bba-group pppoe clients_billing

virtual-template 100

sessions per-mac limit 1

!

bba-group pppoe clients_pppoe

virtual-template 200

sessions per-mac limit 1

!

!

interface FastEthernet0/0

no ip address

ip route-cache flow

load-interval 30

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/0.55

description interface Vlan des clients du billing

encapsulation dot1Q 55

pppoe enable group clients_billing

no cdp enable

!

interface FastEthernet0/0.250

description interface vlan des clients classiques

encapsulation dot1Q 250

ip address 172.20.20.1 255.255.255.0

pppoe enable group clients_pppoe

no cdp enable

!

interface FastEthernet0/1

ip address 192.168.0.210 255.255.255.0

ip route-cache flow

load-interval 30

duplex auto

speed auto

!

interface Virtual-Template100

description parametres connections clients billing

mtu 1492

ip unnumbered FastEthernet0/1

load-interval 30

peer default ip address pool Pool1

ppp authentication pap

ppp authorization billing

ppp accounting billing

!

interface Virtual-Template200

description parametres connections clients pppoe classiques

mtu 1492

ip unnumbered FastEthernet0/1

load-interval 30

peer default ip address pool etitest

ppp authentication pap

ppp authorization eti

ppp accounting eti

!

radius-server attribute 44 include-in-access-req

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server host 192.168.0.190 auth-port 1812 acct-port 1813 key hello

radius-server host 192.168.0.200 auth-port 1812 acct-port 1813 key orange







I’ve tried this set up but the connection stucks at the LCP stage with this
error :



LCP: received AAA AUTHOR Response FAIL



Any hints ?



____________________________________________________________________________
_____

Paul

De : Frank Bulk - iName.com [mailto:frnkblk@iname.com]
Envoyé : jeudi 8 octobre 2009 15:53
À : 'Paul Cole'; cisco-bba@puck.nether.net
Objet : RE: [cisco-bba] Help configuring 2 radius servers in PPPoe



Do these customers user different Virtual-Templates? If so, I believe you
can assign the radius information in the Virtual-Template, overriding those
set at the global level.



Frank



From: cisco-bba-bounces@puck.nether.net
[mailto:cisco-bba-bounces@puck.nether.net] On Behalf Of Paul Cole
Sent: Thursday, October 08, 2009 5:12 AM
To: cisco-bba@puck.nether.net
Subject: [cisco-bba] Help configuring 2 radius servers in PPPoe



Hi,



I have a 7206VXR router connected to two radius servers and sending radius
attributes to those servers.



I have already set up the conf as this:



aaa group server radius test

Server aaaa.aaaa.aaaa.aaaa auth-port 1812 acct-port 1813

Server bbbb.bbbb.bbbb.bbbb auth-port 1812 acct-port 1813



And then



Radius-server host aaaa.aaaa.aaaa.aaaa auth-port 1812 acct-port 1813

Radius-server host bbbb.bbbb.bbbb.bbbb auth-port 1812 acct-port 1813



Radius-server key key_for_aaaa

Radius-server key key_for_bbbb



Radius-server vsa send accounting

Radius-server vsa send authentication



Is there any way to link each radius server (aaaa or bbbb) with its key (how
does it work ? does the key being sent to both radius aaaa and bbbb and then
radius checks against its own key ?



Also, I don’t want to send to both of them (radius aaa will be for a
specific category of users in a specific vlan and the same goes to radius
bbbb) the same accounting infos as radius aaaa will be receiving different
set of infos than radius bbbb.



How can I achieve this ? Is there any way to send some accounting infos to
radius aaaa only for users in vlan aaaa and accounting infos to radius bbbb
for users in vlan bbbb ?



Thanks for your help.



____________________________________________________________________________
____

Paul

>Is there any way to link each radius server (aaaa or bbbb)
>with its key (how does it work ? does the key being sent
>to both radius aaaa and bbbb and then radius checks against its own key
?

Maybe try defining a server-private which allows you to specify the key.

aaa group server radius TEST
server-private 192.168.2.2 auth-port 3647 acct-port 3648 key MYPASSWORD

You would have to run a second radius instance on those ports and key
defined above.

So one radius instance can answer on the default ports (eg: 1812/1813)
with your global key "Radius-server key key_for_aaaa". And the second
radius instance can answer on ports 3647/3648 for bbbb customers.


Hope that helps.

Cheers.

Andy

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
Please notify the sender immediately by email if you have received this
email by mistake and delete this email from your system. Please note that
any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of the organisation.
Finally, the recipient should check this email and any attachments for
the presence of viruses. The organisation accepts no liability for any
damage caused by any virus transmitted by this email.

_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba