Mailing List Archive

Hi James,
There is an example here:http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/4675-vpdn-rad.html

which shows the LAC, LNS & RADIUS configs required. In this example they have two local (terminated on LAC) users and one that is handed off to another LNS.
Hopefully you should be able to extrapolate it to what you need.

regards,Tony.
From: James Bensley <jwbensley@gmail.com>
To: cisco-bba@puck.nether.net
Sent: Friday, 5 December 2014, 3:12
Subject: [cisco-bba] Cisco as LAC

Hi All,

I posted this to the Cisco NSP list but I should try here too!

We take wholesale ADSL from multiple provides but also are an LLU
provider with on-net ADSL.

I'm trying to configure up an LAC in our lab but not getting anywhere...

I have seen an old post here where a guy wants to set up an LAC but
its pretty strait forward, just forwarding tunnels on to an LNS:
http://www.gossamer-threads.com/lists/cisco/bba/82134

I am trying in the lab to create a LAC config that will query our
RADIUS for PPP authentication because the RADIUS will return different
tunnel end points based on the user authenticating in.

With the RADIUS responses to our wholesale providers
user@customer1.net will prefer LNS1 and user@customer2.net will prefer
LNS2. I wish to re-create this internally. All config examples and
guides I can find on the internet are for creating static VPDN groups
that initiate a tunnel to 1.2.3.4 for uses that mactch domain
customer1.net. I would have to create a VPDN group for every domain.

Does Cisco IOS not support more typical wholesale LAC features
operting on the output of RADIUS and also supporting the concept of
query RADIUS IP 1.1.1.1 for all @domain1.net user and query RADIUS
2.2.2.2 for all @domain2.net user queries?

I am labbing this with 7200 series routers running
c7200-advipservicesk9-mz.152-4.M7.bin. We also have ASRs but I was
hoping to stick to these very well known platforms first then try the
ASRs.

Cheers,
James.
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

Thanks for the input Tony.

I have read through the following pages, everything seems pretty
strait forward however my lab LAC still isn't working correctly:

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/4675-vpdn-rad.html
http://www.cisco.com/c/en/us/support/docs/dial-access/virtual-private-dialup-network-vpdn/23981-l2tp-23981.html
http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/access-registrar/13835-multi-avpairs.html
http://www.ciscopress.com/articles/article.asp?p=422947&seqNum=8

I have a lab CPE, LAC and LNS. The lab LAC and LNS are both configured
to use the same lab RADIUS server with has a record for the domain
example.net (which I want the LAC to query) and a record for the user
(which I want the LNS to eventually query).

What happens is a PPPoE request comes in to the LAC from the CPE with
CHAP authentication containing hostname "testuser@example.net". The
LAC sends an access-request to the lab RADIUS server just for
"example.net", RADIUS responds with access-accept and the details to
initiate the L2TP tunnel to the LNS. Next the LAC sends in another
access-request for the full username "testuser@example.net" and the
RADIUS responds with the access-request and the user proile. The LAC
terminates the connection locally and it never gets forwarded on to
the LNS.

I'm a bit stumped as the config is so basic in those examples (they
are all also from 2006 and 2005 though!).

Cheers,
James.


LAC CONFIG (c7200-advipservicesk9-mz.152-4.M7.bin):

aaa new-model
!
aaa group server radius CUST-RAD
server name radius1
ip radius source-interface FastEthernet0/1
!
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
aaa session-id common

vpdn enable
vpdn multihop

bba-group pppoe global
virtual-template 1

interface FastEthernet0/0
description Link to LAB-CPE fa0/0
no ip address
duplex auto
speed auto
pppoe enable group global
!
interface FastEthernet0/1
description Link to LAB-LNSfa0/1
mtu 1530
ip address 192.0.2.8 255.255.255.254
duplex auto
speed auto
!
interface Virtual-Template1
description PPPoE for Wholesale-Customer-1
no ip address
no ip redirects
no ip proxy-arp
no logging event link-status
no peer default ip address
ntp disable
keepalive 20 3
ppp authentication pap chap

radius server radius1
address ipv4 192.0.2.1 auth-port 1812 acct-port 1813
key 7 1234



RADIUS debug on LAC (freeradius 2.1.12):

*Dec 10 16:40:47.334: RADIUS(00000044): Send Access-Request to
192.0.2.1:1812 id 1645/51, len 84
*Dec 10 16:40:47.334: RADIUS: authenticator 45 D1 A3 05 FF E9 8F 81 -
78 49 4B DF B6 A3 3D F1
*Dec 10 16:40:47.334: RADIUS: User-Name [1] 13 "example.net"
*Dec 10 16:40:47.334: RADIUS: User-Password [2] 18 *
*Dec 10 16:40:47.334: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
*Dec 10 16:40:47.338: RADIUS: NAS-Port [5] 6 0
LAC#
*Dec 10 16:40:47.338: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"
*Dec 10 16:40:47.338: RADIUS: Service-Type [6] 6 Outbound
[5]
*Dec 10 16:40:47.338: RADIUS: NAS-IP-Address [4] 6 192.0.2.8
LAC#
*Dec 10 16:40:47.338: RADIUS(00000044): Sending a IPv4 Radius Packet
*Dec 10 16:40:47.342: RADIUS(00000044): Started 5 sec timeout
*Dec 10 16:40:47.402: RADIUS: Received from id 1645/51 192.0.2.1:1812,
Access-Accept, len 202
*Dec 10 16:40:47.410: RADIUS: authenticator 56 16 A4 6B EB 07 3C 6E -
DF C8 0D 6D 55 47 1F 22
*Dec 10 16:40:47.410: RADIUS: Service-Type [6] 6 Outbound
[5]
*Dec 10 16:40:47.418: RADIUS: Vendor, Cisco [26] 29
*Dec 10 16:40:47.418: RADIUS: Cisco AVpair [1] 23
"vpdn:tunnel-type=l2tp"
*Dec 10 16:40:47.430: RADIUS: Vendor, Cisco [26] 36
*Dec 10 16:40:47.434: RADIUS: Cisco AVpair [1] 30
"vpdn:tunnel-id=lns-provider1"
*Dec 10 16:40:47.438: RADIUS: Vendor, Cisco [26] 33
*Dec 10 16:40:47.442: RADIUS: Cisco AVpair [1] 27
"vpdn:ip-address=192.0.2.2"
*Dec 10 16:40:47.446: RADIUS: Vendor, Cisco [26] 32
*Dec 10 16:40:47.450: RADIUS: Cisco AVpair [1] 26
LAC# "vpdn:source-ip=192.0.2.8"
*Dec 10 16:40:47.454: RADIUS: Vendor, Cisco [26] 46
*Dec 10 16:40:47.458: RADIUS: Cisco AVpair [1] 40 *
*Dec 10 16:40:47.466: RADIUS(00000044): Received from id 1645/51
*Dec 10 16:40:47.598: RADIUS/ENCODE(00000044):Orig. component type = PPPoE
*Dec 10 16:40:47.602: RADIUS/ENCODE(0
LAC#0000044): Unsupported AAA attribute clid-mac-addr
*Dec 10 16:40:47.614: RADIUS: AAA Unsupported Attr: interface
[221] 7 1790217048
*Dec 10 16:40:47.618: RADIUS: AAA Unsupported Attr:
client-mac-address[44] 14 1790217100
*Dec 10 16:40:47.626: RADIUS(00000044): Config NAS IP: 192.0.2.8
*Dec 10 16:40:47.626: RADIUS(00000044): Config NAS IPv6: ::
*Dec 10 16:40:47.630: RADIUS/ENCODE(00000044): acct_session_id: 63
*Dec 10 16:40:47.634: RADIUS(00000044): sending
*Dec 10 16:40:47.650: RADIUS(00000044): Send Access-Request to
192.0.2.1:1812 id 1645/52, len 100
*Dec 10 16:40:47.654: RADIUS: authenticator E5 12 DB 6D EE C9 E3 4E -
1F 4C B8 7B 76 D2 C3 0E
*Dec 10 16:40:47.658: RADIUS: Framed-Protocol [7] 6 PPP
[1]
*Dec 10 16:40:47.662: RADIUS: User-Name [1] 22
"testuser@example.net"
*Dec 10 16:40:47.666: RADIUS: CHAP-Password [3] 19 *
*Dec 10 16:40:47.670: RADIUS: NAS-Port-Type [61] 6 Virtual
LAC# [5]
*Dec 10 16:40:47.674: RADIUS: NAS-Port [5] 6 0
*Dec 10 16:40:47.678: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"
*Dec 10 16:40:47.686: RADIUS: Service-Type [6] 6 Framed
[2]
*Dec 10 16:40:47.690: RADIUS: NAS-IP-Address [4] 6 192.0.2.8
*Dec 10 16:40:47.698: RADIUS(00000044): Sending a IPv4 Radius Packet
*Dec 10 16:40:47.702: RADIUS(00000044): Started 5 sec timeout

*Dec 10 16:40:47.862: RADIUS: Received from id 1645/52 192.0.2.1:1812,
Access-Accept, len 120
*Dec 10 16:40:47.862: RADIUS: authenticator 45 95 72 FE 30 81 EB 6F -
F1 B3 79 70 A0 66 5C 56
*Dec 10 16:40:47.862: RADIUS: Service-Type [6] 6 Framed
[2]
*Dec 10 16:40:47.862: RADIUS: Framed-Protocol [7] 6 PPP
[1]
*Dec 10 16:40:47.862: RADIUS: Framed-MTU [12] 6 1500
*Dec 10 16:40:47.862: RADIUS: Framed-IP-Address [8] 6 10.0.0.1
*Dec 10 16:40:47.862: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255
*Dec 10 16:40:47.862: RADIUS: Framed-Compression [13] 6 VJ TCP/IP
Header Compressi[1]
*Dec 10 16:40:47.862: RADIUS: Session-Timeout [27] 6 0
*Dec 10 16:40:47.862: RADIUS: Idle-Timeout [28] 6 300
*Dec 10 16:40:
LAC#47.862: RADIUS: Vendor, Cisco [26] 52
*Dec 10 16:40:47.866: RADIUS: Cisco AVpair [1] 46
"lcp:interface-config=ip unnumbered Loopback0"
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

After a tea break I have seen that those AV pairs are having no affect.

Switching to the correct ones was a good idea ;)

#example.net Cleartext-Password := "cisco"
# Service-Type = Outbound-User,
# Cisco-AVPair = "vpdn:tunnel-type=l2tp",
# Cisco-AVPair += "vpdn:tunnel-id=lns-provider1",
# Cisco-AVPair += "vpdn:ip-address=192.0.2.2",
# Cisco-AVPair += "vpdn:source-ip=192.0.2.8",
# Cisco-AVPair += "vpdn:l2tp-tunnel-password=L2TPPassword"

example.net Cleartext-Password := "cisco"
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Medium-Type = IP,
Tunnel-Client-Auth-ID = lac-provider1,
Tunnel-Server-Auth-ID = lns-provider1,
Tunnel-Password = L2TPPassword,
Tunnel-Server-Endpoint = 192.0.2.2

Everything works fine now between the LAC and LNS:)

Now I can work on RADIUS proxy capabilities.

Thanks to all for the off-list replied.

James.
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba