Mailing List Archive

asr 1001-x as LNS and ipv6 CPEs : dhcpv6 problem
Hello,

I'm trying to deploy IPv6 for our PPP customers. Our LNS is an asr-1001x,
which work just fine for ipv4.

I have a strange behavior when trying to push IPv6 (NA + PD) to the client
CPE (cisco 800 in my lab).

*Here's my CPE dialer config :*

interface Dialer1
mtu 1460
ip address negotiated
ip access-group ACL_dialer1_in in
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ipv6 address autoconfig default
ipv6 enable
no ipv6 nd ra suppress
ipv6 dhcp client pd DHCPv6
ppp authentication chap callin
ppp chap hostname user@realm
ppp chap password 7 xxxxxxxxxxxxxx
end

*Here's my LNS config relevant parts :*

aaa authorization configuration DHCPv6-PD group radius

ipv6 dhcp pool IPv6_DHCP_POOL
prefix-delegation aaa method-list DHCPv6-PD lifetime 7200 300
address prefix 2A06:A402:1::/56
accounting default

interface Virtual-Template285
mtu 1492
ip unnumbered Loopback285
no ip redirects
ip access-group VC_BE_out in
ip tcp adjust-mss 1420
no peer default ip address
peer default ipv6 pool IPv6_DHCP_POOL
ipv6 unnumbered Loopback285
ipv6 enable
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server IPv6_DHCP_POOL
no ppp lcp fast-start
ppp authentication pap chap
ppp ipcp dns x.x.x.x x.x.x.x
ppp ipcp address required
ppp ipcp address unique
ppp ipv6cp address unique
end


So I want to give an ipv6 from 2A06:A402:1::/56 as NA address for the CPE,
and PD is given by my radius with dhcp

The problem I have is the following :
the moment I add "ipv6 dhcp server IPv6_DHCP_POOL" in my virtual-template
configuration on the LNS, the LNS sends an other access request to my
radius with username = user@realm*-dhcpv6.*

as this user is unknown on my radius, it gets an access-reject and the
CPE's PPP session goes down.

I can't find where this "-dhcpv6" suffix comes from, and I did not find doc
about it.

Can anyone help me please ? I'm going crazy !
Regards
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: asr 1001-x as LNS and ipv6 CPEs : dhcpv6 problem [ In reply to ]
Replying to myself :

The "-dhcpv6" stuff appears when the radius does not reply to the
access-request with a "Delegated-IPv6-Prefix" field.
That may be a quite useful thing, but it's a shame it brokes the IPv4 part
of the dialer if user@realm*-dhcpv6* does not exist !

if somebody knows any doc or RFC that refers to that...

Regards

Le mer. 19 janv. 2022 à 14:59, BASSAGET Cédric <cedric.bassaget.ml@gmail.com>
a écrit :

> Hello,
>
> I'm trying to deploy IPv6 for our PPP customers. Our LNS is an asr-1001x,
> which work just fine for ipv4.
>
> I have a strange behavior when trying to push IPv6 (NA + PD) to the client
> CPE (cisco 800 in my lab).
>
> *Here's my CPE dialer config :*
>
> interface Dialer1
> mtu 1460
> ip address negotiated
> ip access-group ACL_dialer1_in in
> ip nat outside
> no ip virtual-reassembly in
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ipv6 address autoconfig default
> ipv6 enable
> no ipv6 nd ra suppress
> ipv6 dhcp client pd DHCPv6
> ppp authentication chap callin
> ppp chap hostname user@realm
> ppp chap password 7 xxxxxxxxxxxxxx
> end
>
> *Here's my LNS config relevant parts :*
>
> aaa authorization configuration DHCPv6-PD group radius
>
> ipv6 dhcp pool IPv6_DHCP_POOL
> prefix-delegation aaa method-list DHCPv6-PD lifetime 7200 300
> address prefix 2A06:A402:1::/56
> accounting default
>
> interface Virtual-Template285
> mtu 1492
> ip unnumbered Loopback285
> no ip redirects
> ip access-group VC_BE_out in
> ip tcp adjust-mss 1420
> no peer default ip address
> peer default ipv6 pool IPv6_DHCP_POOL
> ipv6 unnumbered Loopback285
> ipv6 enable
> ipv6 nd other-config-flag
> no ipv6 nd ra suppress
> ipv6 dhcp server IPv6_DHCP_POOL
> no ppp lcp fast-start
> ppp authentication pap chap
> ppp ipcp dns x.x.x.x x.x.x.x
> ppp ipcp address required
> ppp ipcp address unique
> ppp ipv6cp address unique
> end
>
>
> So I want to give an ipv6 from 2A06:A402:1::/56 as NA address for the CPE,
> and PD is given by my radius with dhcp
>
> The problem I have is the following :
> the moment I add "ipv6 dhcp server IPv6_DHCP_POOL" in my virtual-template
> configuration on the LNS, the LNS sends an other access request to my
> radius with username = user@realm*-dhcpv6.*
>
> as this user is unknown on my radius, it gets an access-reject and the
> CPE's PPP session goes down.
>
> I can't find where this "-dhcpv6" suffix comes from, and I did not find
> doc about it.
>
> Can anyone help me please ? I'm going crazy !
> Regards
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: asr 1001-x as LNS and ipv6 CPEs : dhcpv6 problem [ In reply to ]
Hello,
I fixed all of my problems except one : the IA NA dynamically attributed to
the PPP client (from pool 2A06:A402:1::/56) does not appear in the ipv6
routing table (sho ipv6 route). only the IA PD appears :

asr-1k1-pa3-1#show ipv6 dhcp binding
Client: FE80::A
DUID: 0003000108553159A447
Username : user@realm
VRF : default
Interface : Virtual-Access2.92
IA PD: IA ID 0x0000000A, T1 150, T2 240
Prefix: 2A06:a402:100::/48
preferred lifetime 300, valid lifetime 7200
expires at Jan 25 2022 01:41 PM (7137 seconds)
IA NA: IA ID 0x0000000A, T1 43200, T2 69120
Address: 2A06:A402:1:56:8055:BF4:x:x
preferred lifetime 86400, valid lifetime 172800
expires at Jan 27 2022 11:41 AM (172737 seconds)

asr-1k1-pa3-1#sh ipv6 route interface virtual-access 2.92
S 2A06:A402:100::/48 [1/0]
via FE80::A, Virtual-Access2.92

I've been looking for a way to resolve this for days but I did not find any
answer.
If anyone knows...

Regards

Le mer. 19 janv. 2022 à 16:19, BASSAGET Cédric <cedric.bassaget.ml@gmail.com>
a écrit :

> Replying to myself :
>
> The "-dhcpv6" stuff appears when the radius does not reply to the
> access-request with a "Delegated-IPv6-Prefix" field.
> That may be a quite useful thing, but it's a shame it brokes the IPv4 part
> of the dialer if user@realm*-dhcpv6* does not exist !
>
> if somebody knows any doc or RFC that refers to that...
>
> Regards
>
> Le mer. 19 janv. 2022 à 14:59, BASSAGET Cédric <
> cedric.bassaget.ml@gmail.com> a écrit :
>
>> Hello,
>>
>> I'm trying to deploy IPv6 for our PPP customers. Our LNS is an asr-1001x,
>> which work just fine for ipv4.
>>
>> I have a strange behavior when trying to push IPv6 (NA + PD) to the
>> client CPE (cisco 800 in my lab).
>>
>> *Here's my CPE dialer config :*
>>
>> interface Dialer1
>> mtu 1460
>> ip address negotiated
>> ip access-group ACL_dialer1_in in
>> ip nat outside
>> no ip virtual-reassembly in
>> encapsulation ppp
>> dialer pool 1
>> dialer-group 1
>> ipv6 address autoconfig default
>> ipv6 enable
>> no ipv6 nd ra suppress
>> ipv6 dhcp client pd DHCPv6
>> ppp authentication chap callin
>> ppp chap hostname user@realm
>> ppp chap password 7 xxxxxxxxxxxxxx
>> end
>>
>> *Here's my LNS config relevant parts :*
>>
>> aaa authorization configuration DHCPv6-PD group radius
>>
>> ipv6 dhcp pool IPv6_DHCP_POOL
>> prefix-delegation aaa method-list DHCPv6-PD lifetime 7200 300
>> address prefix 2A06:A402:1::/56
>> accounting default
>>
>> interface Virtual-Template285
>> mtu 1492
>> ip unnumbered Loopback285
>> no ip redirects
>> ip access-group VC_BE_out in
>> ip tcp adjust-mss 1420
>> no peer default ip address
>> peer default ipv6 pool IPv6_DHCP_POOL
>> ipv6 unnumbered Loopback285
>> ipv6 enable
>> ipv6 nd other-config-flag
>> no ipv6 nd ra suppress
>> ipv6 dhcp server IPv6_DHCP_POOL
>> no ppp lcp fast-start
>> ppp authentication pap chap
>> ppp ipcp dns x.x.x.x x.x.x.x
>> ppp ipcp address required
>> ppp ipcp address unique
>> ppp ipv6cp address unique
>> end
>>
>>
>> So I want to give an ipv6 from 2A06:A402:1::/56 as NA address for the
>> CPE, and PD is given by my radius with dhcp
>>
>> The problem I have is the following :
>> the moment I add "ipv6 dhcp server IPv6_DHCP_POOL" in my virtual-template
>> configuration on the LNS, the LNS sends an other access request to my
>> radius with username = user@realm*-dhcpv6.*
>>
>> as this user is unknown on my radius, it gets an access-reject and the
>> CPE's PPP session goes down.
>>
>> I can't find where this "-dhcpv6" suffix comes from, and I did not find
>> doc about it.
>>
>> Can anyone help me please ? I'm going crazy !
>> Regards
>>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/