Mailing List Archive

As an answer to myself i found that only the auth scenario is possible by using the "Agent
Remote ID Sub-option" of RFC3046. But i suppose only the "username" can be checked and not
the combination of username/password.
Is such an option supported by Cisco? If yes, how and where is this "username" configured?

Now about the acct scenario:

I found the following doc on CCO, but i can't understand if it's possible to have DHCP
accounting without SSG functionality. Can anybody help me?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftdhcpac.htm




Tassos Chatzithomaoglou wrote:

> Is there a way to have username/password authentication/accounting (with
> radius) when using dhcp, just like normal ppp?
>
> If yes, is there a way to have per-user (security, qos) attributes
> applied through radius?
>
>

--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz@forthnet.gr>
***********************************

> Is there a way to have username/password authentication/accounting (with radius) when
> using dhcp, just like normal ppp?

> If yes, is there a way to have per-user (security, qos) attributes applied through radius?

Sounds like you're talking about 802.1X, or something like it, perhaps?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xa/gt_802_1.htm
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/sw8021x.htm

What exact physical topology connects these users to the network?

Aaron

Aaron Leonard wrote:

>> Is there a way to have username/password authentication/accounting
>> (with radius) when
>> using dhcp, just like normal ppp?
>
>
>> If yes, is there a way to have per-user (security, qos) attributes
>> applied through radius?
>
>
> Sounds like you're talking about 802.1X, or something like it, perhaps?
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xa/gt_802_1.htm
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/sw8021x.htm
>

Quite interesting.....but 2 questions come to my mind:

1. What encapsulation does virtual-template use?
2. Is there a 802.1X accounting method?

>
> What exact physical topology connects these users to the network?
>

These users are terminated (RFC1483 Routing/Bridging) in a dslam and until now they just
get an ip through dhcp. We're trying to find a way in order to make them "behave" like ppp
users with username/password authentication/accounting, per-user attributes/qos, like we
do in all our other users through our radius servers.

> Aaron
>

--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz@forthnet.gr>
***********************************

> Aaron Leonard wrote:

> >> Is there a way to have username/password authentication/accounting
> >> (with radius) when
> >> using dhcp, just like normal ppp?
> >
> >
> >> If yes, is there a way to have per-user (security, qos) attributes
> >> applied through radius?
> >
> >
> > Sounds like you're talking about 802.1X, or something like it, perhaps?
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xa/gt_802_1.htm
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/sw8021x.htm
> >

> Quite interesting.....but 2 questions come to my mind:

> 1. What encapsulation does virtual-template use?
> 2. Is there a 802.1X accounting method?

> >
> > What exact physical topology connects these users to the network?
> >

> These users are terminated (RFC1483 Routing/Bridging) in a dslam and until now they just
> get an ip through dhcp. We're trying to find a way in order to make them "behave" like ppp
> users with username/password authentication/accounting, per-user attributes/qos, like we
> do in all our other users through our radius servers.

Well, the right answer (I suppose you know this already) is
to switch from RFC-1483 to PPPoA or PPPoE. I'm not sure what
you can do with RFC-1483 ... maybe someone has some ideas?

Aaron

Aaron Leonard wrote:

>> Aaron Leonard wrote:
>
>
>> >> Is there a way to have username/password authentication/accounting
>> >> (with radius) when
>> >> using dhcp, just like normal ppp?
>> >
>> >
>> >> If yes, is there a way to have per-user (security, qos) attributes
>> >> applied through radius?
>> >
>> >
>> > Sounds like you're talking about 802.1X, or something like it, perhaps?
>> >
>> >
>> http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xa/gt_802_1.htm
>>
>> >
>> >
>> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/sw8021x.htm
>>
>> >
>
>
>> Quite interesting.....but 2 questions come to my mind:
>
>
>> 1. What encapsulation does virtual-template use?
>> 2. Is there a 802.1X accounting method?
>
>
>> >
>> > What exact physical topology connects these users to the network?
>> >
>
>
>> These users are terminated (RFC1483 Routing/Bridging) in a dslam and
>> until now they just
>> get an ip through dhcp. We're trying to find a way in order to make
>> them "behave" like ppp
>> users with username/password authentication/accounting, per-user
>> attributes/qos, like we
>> do in all our other users through our radius servers.
>
>
> Well, the right answer (I suppose you know this already) is
> to switch from RFC-1483 to PPPoA or PPPoE. I'm not sure what
> you can do with RFC-1483 ... maybe someone has some ideas?
>

I'm using RFC1483 and not PPPoX for this scenario, because we're using video multicasting
and we want to have 1 multicast stream per dslam. If we use PPPoX, then we'll have many
streams from the bras to the dslam, because the user ppp/ip will be terminated on the
bras. Of course there is the solution of an ip dslam and we are going to have a further
look at it.

> Aaron
>

--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz@forthnet.gr>
***********************************

> >> These users are terminated (RFC1483 Routing/Bridging) in a dslam and
> >> until now they just
> >> get an ip through dhcp. We're trying to find a way in order to make
> >> them "behave" like ppp
> >> users with username/password authentication/accounting, per-user
> >> attributes/qos, like we
> >> do in all our other users through our radius servers.
> >
> >
> > Well, the right answer (I suppose you know this already) is
> > to switch from RFC-1483 to PPPoA or PPPoE. I'm not sure what
> > you can do with RFC-1483 ... maybe someone has some ideas?

> I'm using RFC1483 and not PPPoX for this scenario, because we're using video multicasting
> and we want to have 1 multicast stream per dslam. If we use PPPoX, then we'll have many
> streams from the bras to the dslam, because the user ppp/ip will be terminated on the
> bras. Of course there is the solution of an ip dslam and we are going to have a further
> look at it.

OK. I guess the SESM/SSG stuff could be brought to bear here. I'm not
at all up on that stuff, though.

http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/exdre_ds.htm
http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/ssgw_ds.htm
http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_315/solgde/01intro.htm

Aaron

Aaron Leonard wrote:

>> >> These users are terminated (RFC1483 Routing/Bridging) in a dslam and
>> >> until now they just
>> >> get an ip through dhcp. We're trying to find a way in order to make
>> >> them "behave" like ppp
>> >> users with username/password authentication/accounting, per-user
>> >> attributes/qos, like we
>> >> do in all our other users through our radius servers.
>> >
>> >
>> > Well, the right answer (I suppose you know this already) is
>> > to switch from RFC-1483 to PPPoA or PPPoE. I'm not sure what
>> > you can do with RFC-1483 ... maybe someone has some ideas?
>
>
>> I'm using RFC1483 and not PPPoX for this scenario, because we're using
>> video multicasting
>> and we want to have 1 multicast stream per dslam. If we use PPPoX,
>> then we'll have many
>> streams from the bras to the dslam, because the user ppp/ip will be
>> terminated on the
>> bras. Of course there is the solution of an ip dslam and we are going
>> to have a further
>> look at it.
>
>
> OK. I guess the SESM/SSG stuff could be brought to bear here. I'm not
> at all up on that stuff, though.
>
> http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/exdre_ds.htm
> http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/ssgw_ds.htm
> http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_315/solgde/01intro.htm
>
>

Well, SSG is a very sad story :-(

We tried to implement (7200 = SSG) it but the online CCO docs weren't helpfull enough, so
we came to a dead end. We also contacted our local Cisco Account Manager/Partner for some
extra help/docs but they also couldn't help us.

As it seems Cisco tries to "hide" a lot of SSG information, but we can't undertand why.
Or Cisco doesn't have a lot of experience with SSG !!!! Which i don't tend to believe
easily ;-)))

This is one of the few cases that we were very dissapointed by CCO & Cisco :-(((


> Aaron
>

--
***********************************
Chatzithomaoglou Anastasios
Network Design & Operations Center
FORTHnet S.A.
<achatz@forthnet.gr>
***********************************