Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. BBA
"NAS-Port = 0" with software upgrade on Cisco 7206VXR
frnkblk at iname
Jul 18, 2008, 3:55 PM
Post #1 of 8 (8529 views)
Permalink
When I was running 12.2(26) the NAS-Port that was reported to our RADIUS
server was the Virtual-Interface value (i.e Vi435).
Sun Jun 22 00:56:11 2008 : Auth: Login OK: [daved] (from client
dslam port 435)
Sun Jun 22 00:56:58 2008 : Auth: Login OK: [daved] (from client
dslam port 435)
Sun Jun 22 00:57:59 2008 : Auth: Login OK: [daved] (from client
dslam port 435)
Sun Jun 22 00:59:01 2008 : Auth: Login OK: [daved] (from client
dslam port 435
That was a really handy way to use the RADIUS logs to identify which
Virtual-Interface a person was on, so that I could go to the 7206VXR,
identify the VP/VC (show interface Vi435), and trace out which DSLAM port
they were on.

That's not the case anymore with 12.4(19b). Now they all show up as dslam
port 0:
Thu Jul 17 16:12:44 2008 : Auth: Login OK: [hum2321el] (from client
dslam port 0)
Thu Jul 17 16:12:44 2008 : Auth: Login OK: [m123jilts] (from client
dslam port 0)
Thu Jul 17 16:12:44 2008 : Auth: Login OK: [gwdf1h] (from client
dslam port 0)
Thu Jul 17 16:12:44 2008 : Auth: Login OK: [abc123] (from client
dslam port 0)

I've added "radius-server attribute nas-port format d" so that at least I
get a unique number that somehow represents the interface details, but I've
not seen any examples to convert these numbers into something I can
understand.
Fri Jul 18 13:09:52 2008 : Auth: Login OK: [khj] (from client dslam
port 1073873726)
Fri Jul 18 13:09:55 2008 : Auth: Login OK: [dfsands6] (from client
dslam port 1073873388)
Fri Jul 18 13:10:37 2008 : Auth: Login OK: [s44] (from client dslam
port 1073742057)

I do see in my packet captures that a "NAS-Port-Id(87) is sent to our RADIUS
server which contains the port/?/VP/VC, which is nice, but FreeRADIUS
doesn't appear to be able to log that, either, in its main log.

Any ideas how I can get back to having the NAS-Port return the
Virtual-Interface values (which are now in the Vi#.#### format) or to get
FreeRADIUS to log attribute 87 to the main log?

Regards,

Frank Bulk

_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: "NAS-Port = 0" with software upgrade on Cisco 7206VXR [ In reply to ]
rblayzor.bulk at inoc
Jul 18, 2008, 5:31 PM
Post #2 of 8 (8339 views)
Permalink
On Jul 18, 2008, at 6:55 PM, Frank Bulk wrote:
> I do see in my packet captures that a "NAS-Port-Id(87) is sent to
> our RADIUS
> server which contains the port/?/VP/VC, which is nice, but FreeRADIUS
> doesn't appear to be able to log that, either, in its main log.
>
> Any ideas how I can get back to having the NAS-Port return the
> Virtual-Interface values (which are now in the Vi#.#### format) or
> to get
> FreeRADIUS to log attribute 87 to the main log?



Couple of things....

Add NAS-Port-Id to your RADIUS dictionary if it's not there.
FreeRADIUS should be able to log it once it knows about the attribute:

ATTRIBUTE NAS-Port-Id 87 string


The other way is if you have a RADIUS server flexible enough to
rewrite attributes, you can easily change the Port-Id into the values
you need, ie:

my $nasport = $p->get_attr('NAS-Port');
if (defined($nasport)) {

my ($vci, $vpi, $port, $module, $slot) =
( ($nasport & 0xffff),
(($nasport & 0xff0000) >> 16),
(($nasport & 0x07000000) >> 24),
(($nasport & 0x1000000) >> 27),
(($nasport & 0xf0000000) >> 28) );

my $cid = "$slot/$module/$port/$vpi.$vci";


Basically with NAS-Port you need to shift the bits around to get the
values you need.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/



_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: "NAS-Port = 0" with software upgrade on Cisco 7206VXR [ In reply to ]
frnkblk at iname
Jul 18, 2008, 9:32 PM
Post #3 of 8 (8362 views)
Permalink
I checked and the NAS-Port-Id is in the dictionary, but it doesn't log it to
the regular log file.

I'm looking into to re-writing the NAS-Port internet into something like you
described: $slot/$module/$port/$vpi.$vci.

But I'm still at a loss how to get the NAS-Port to reflect the virtual
interface number rater than the incoming location.

Regards,

Frank

-----Original Message-----
From: Robert Blayzor [mailto:rblayzor.bulk@inoc.net]
Sent: Friday, July 18, 2008 7:31 PM
To: frnkblk@iname.com
Cc: cisco-bba@puck.nether.net
Subject: Re: [cisco-bba] "NAS-Port = 0" with software upgrade on Cisco
7206VXR

On Jul 18, 2008, at 6:55 PM, Frank Bulk wrote:
> I do see in my packet captures that a "NAS-Port-Id(87) is sent to
> our RADIUS
> server which contains the port/?/VP/VC, which is nice, but FreeRADIUS
> doesn't appear to be able to log that, either, in its main log.
>
> Any ideas how I can get back to having the NAS-Port return the
> Virtual-Interface values (which are now in the Vi#.#### format) or
> to get
> FreeRADIUS to log attribute 87 to the main log?

Couple of things....

Add NAS-Port-Id to your RADIUS dictionary if it's not there.
FreeRADIUS should be able to log it once it knows about the attribute:

ATTRIBUTE NAS-Port-Id 87 string


The other way is if you have a RADIUS server flexible enough to
rewrite attributes, you can easily change the Port-Id into the values
you need, ie:

my $nasport = $p->get_attr('NAS-Port');
if (defined($nasport)) {

my ($vci, $vpi, $port, $module, $slot) =
( ($nasport & 0xffff),
(($nasport & 0xff0000) >> 16),
(($nasport & 0x07000000) >> 24),
(($nasport & 0x1000000) >> 27),
(($nasport & 0xf0000000) >> 28) );

my $cid = "$slot/$module/$port/$vpi.$vci";


Basically with NAS-Port you need to shift the bits around to get the
values you need.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/




_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: "NAS-Port = 0" with software upgrade on Cisco 7206VXR [ In reply to ]
rblayzor.bulk at inoc
Jul 19, 2008, 7:24 AM
Post #4 of 8 (8315 views)
Permalink
On Jul 19, 2008, at 12:32 AM, Frank Bulk wrote:
> I checked and the NAS-Port-Id is in the dictionary, but it doesn't
> log it to
> the regular log file.
>
> I'm looking into to re-writing the NAS-Port internet into something
> like you
> described: $slot/$module/$port/$vpi.$vci.
>
> But I'm still at a loss how to get the NAS-Port to reflect the virtual
> interface number rater than the incoming location.



http://www.cisco.com/en/US/customer/docs/ios/12_2t/secure/command/reference/sftrad.html#wp1053876

and then the actual bit layout:


http://www.cisco.com/en/US/customer/docs/ios/12_1t/12_1t5/feature/guide/dtppprad.html


--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/



_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: "NAS-Port = 0" with software upgrade on Cisco 7206VXR [ In reply to ]
frnkblk at iname
Jul 19, 2008, 9:52 AM
Post #5 of 8 (8351 views)
Permalink
Yes, I've read that documentation.

But that's still outputting NAS-Port details as bits, not human-readable
text. Alternately, I'm willing to go back to how it was in 12.2(26) where
the NAS-Port value was the Virtual-Interface value, but that's not any of
the options in "radius-server attribute nas-port format".

It seems I'm at a impass.

Frank

-----Original Message-----
From: Robert Blayzor [mailto:rblayzor.bulk@inoc.net]
Sent: Saturday, July 19, 2008 9:24 AM
To: frnkblk@iname.com
Cc: cisco-bba@puck.nether.net
Subject: Re: [cisco-bba] "NAS-Port = 0" with software upgrade on Cisco
7206VXR

On Jul 19, 2008, at 12:32 AM, Frank Bulk wrote:
> I checked and the NAS-Port-Id is in the dictionary, but it doesn't
> log it to
> the regular log file.
>
> I'm looking into to re-writing the NAS-Port internet into something
> like you
> described: $slot/$module/$port/$vpi.$vci.
>
> But I'm still at a loss how to get the NAS-Port to reflect the virtual
> interface number rater than the incoming location.

http://www.cisco.com/en/US/customer/docs/ios/12_2t/secure/command/reference/
sftrad.html#wp1053876

and then the actual bit layout:

http://www.cisco.com/en/US/customer/docs/ios/12_1t/12_1t5/feature/guide/dtpp
prad.html


--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/




_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: "NAS-Port = 0" with software upgrade on Cisco 7206VXR [ In reply to ]
rblayzor.bulk at inoc
Jul 19, 2008, 3:02 PM
Post #6 of 8 (8318 views)
Permalink
On Jul 19, 2008, at 12:52 PM, Frank Bulk - iNAME wrote:
> But that's still outputting NAS-Port details as bits, not human-
> readable
> text. Alternately, I'm willing to go back to how it was in 12.2(26)
> where
> the NAS-Port value was the Virtual-Interface value, but that's not
> any of
> the options in "radius-server attribute nas-port format".
>
> It seems I'm at a impass.



Doesn't your RADIUS session-id contain the PVC info?

Mine look like:

1/0/0/25.70_000B71D5


When using 12.2SB...


Ultimately I'd find out why your RADIUS server is not logging the NAS-
Port-Id.... that's the new attribute that *should* be used
specifically for this purpose.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/



_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: "NAS-Port = 0" with software upgrade on Cisco 7206VXR [ In reply to ]
frnkblk at iname
Jul 19, 2008, 3:39 PM
Post #7 of 8 (8302 views)
Permalink
I'm trying to figure out a way for FreeRADIUS to log the NAS-Port-Id but I'm
not having much success on that listserv. Last (and most viable)
recommendation was to use rlm_linelog, but there doesn't seem too much
documentation on that extra module. For those familiar with ISC's DHCP
server, it's pretty straight forward to modify the logging to include
options listed in the DHCP Request, but that's not the case with FreeRADIUS.

I'm running 12.4(19b), which may return things differently than 12.2(SB).

Thanks,

Frank

-----Original Message-----
From: Robert Blayzor [mailto:rblayzor.bulk@inoc.net]
Sent: Saturday, July 19, 2008 5:02 PM
To: frnkblk@iname.com
Cc: cisco-bba@puck.nether.net
Subject: Re: [cisco-bba] "NAS-Port = 0" with software upgrade on Cisco
7206VXR

On Jul 19, 2008, at 12:52 PM, Frank Bulk - iNAME wrote:
> But that's still outputting NAS-Port details as bits, not human-
> readable
> text. Alternately, I'm willing to go back to how it was in 12.2(26)
> where
> the NAS-Port value was the Virtual-Interface value, but that's not
> any of
> the options in "radius-server attribute nas-port format".
>
> It seems I'm at a impass.

Doesn't your RADIUS session-id contain the PVC info?

Mine look like:

1/0/0/25.70_000B71D5

When using 12.2SB...

Ultimately I'd find out why your RADIUS server is not logging the NAS-
Port-Id.... that's the new attribute that *should* be used
specifically for this purpose.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/




_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: "NAS-Port = 0" with software upgrade on Cisco 7206VXR [ In reply to ]
rblayzor.bulk at inoc
Jul 19, 2008, 3:58 PM
Post #8 of 8 (8312 views)
Permalink
On Jul 19, 2008, at 6:39 PM, Frank Bulk - iNAME wrote:
> I'm trying to figure out a way for FreeRADIUS to log the NAS-Port-Id
> but I'm
> not having much success on that listserv. Last (and most viable)
> recommendation was to use rlm_linelog, but there doesn't seem too much
> documentation on that extra module. For those familiar with ISC's
> DHCP
> server, it's pretty straight forward to modify the logging to include
> options listed in the DHCP Request, but that's not the case with
> FreeRADIUS.
>
> I'm running 12.4(19b), which may return things differently than
> 12.2(SB).



Seems odd. So long as the attributes are in your dictionary and the
NAS is sending them, FreeRADIUS should be logging them. If it's not,
then it must be doing some type of filtering on specific attributes.
NAS-Port-Id is a standard RADIUS attribute and not a VSA, so I don't
see what the big deal is.

We also get the same information via Option82 and log the it with isc-
dhcpd.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/



_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal