FreeRadius + Cisco VPDN with multiple VRFs not working
Jasper Jans
jasper.jans at gmail.com
Thu Aug 12 17:01:11 CEST 2010
Hi,
I hope someone on this lists still knows how to build this...
We have an old setup that authenticates ISDN dial-in users and puts them in
a Cisco VRF depending on which user authenticates.
However this was all build about eight years ago using both home grown
radius servers, etc.
At the moment I'm trying to build a new platform using FreeRadius but I get
stuck it seems at some point during the authentication
and setup of the session.
A quick overview of the setup:
Cisco 180x as dial-in router
Cisco AS5350 (NAS terminating the ISDN call) running
IOS c5350-jk9s-mz.124-15.T9.bin
Cisco 7200 (VHG/PE terminating the VPDN tunnel and ultimately the PPP
session) running IOS c7200-jk9s-mz.123-20.bin
Freeradius v1.1.3 (default that ships with CentOS 5.5) using MySQL as an
backend.
I manage to get the call to dial-in, the NAS to setup the VPDN tunnel and
the VHG to send the radius request to terminate the PPP
session. I actually see that the virtual-template gets cloned to a
virtual-access interface - however after a few sessions the connection
drops and if I issue a "show run" on the virtual-access interface it does
not seem to have any config on it.
I've included the output of a debug of both the VHG as well as of the radius
server at the end of this mail. I've also included the running
configuration of the AS5350 and 7200 incase I did something wrong there. I
realize this makes for a rather large email - my apologies.
I hope someone can tell me what it is that I'm doing wrong.
Thanks a lot for taking the time to have a look.
- Jasper
------------
Debug VHG:
Aug 12 16:15:42.916 CEST: ppp55 PPP: Phase is ESTABLISHING
Aug 12 16:15:42.916 CEST: ppp55 PPP: Send Message[Dynamic Bind Response]
Aug 12 16:15:42.916 CEST: ppp55 LCP: I FORCED rcvd CONFACK len 30
Aug 12 16:15:42.916 CEST: ppp55 LCP: AuthProto CHAP (0x0305C22305)
Aug 12 16:15:42.916 CEST: ppp55 LCP: MagicNumber 0x0D06A846
(0x05060D06A846)
Aug 12 16:15:42.916 CEST: ppp55 LCP: MRRU 1524 (0x110405F4)
Aug 12 16:15:42.916 CEST: ppp55 LCP: EndpointDisc 1 asd-tc3-ap01
(0x130F016173642D7463332D61703031)
Aug 12 16:15:42.916 CEST: ppp55 LCP: I FORCED sent CONFACK len 38
Aug 12 16:15:42.916 CEST: ppp55 LCP: AuthProto CHAP (0x0305C22305)
Aug 12 16:15:42.916 CEST: ppp55 LCP: MagicNumber 0x9A996122
(0x05069A996122)
Aug 12 16:15:42.916 CEST: ppp55 LCP: MRRU 1500 (0x110405DC)
Aug 12 16:15:42.916 CEST: ppp55 LCP: EndpointDisc 1 test-klant at backup.nl
Aug 12 16:15:42.916 CEST: ppp55 LCP:
(0x131701746573742D6B6C616E74406261)
Aug 12 16:15:42.916 CEST: ppp55 LCP: (0x636B75702E6E6C)
Aug 12 16:15:42.916 CEST: ppp55 PPP: Phase is FORWARDING, Attempting Forward
Aug 12 16:15:42.916 CEST: ppp55 PPP SSS: Receive SSS-Mgr Connect-Local
Aug 12 16:15:42.916 CEST: ppp55 PPP: Phase is AUTHENTICATING,
Unauthenticated User
Aug 12 16:15:42.916 CEST: RADIUS/ENCODE(0000003C):Orig. component type =
VPDN
Aug 12 16:15:42.916 CEST: RADIUS: AAA Unsupported Attr: interface
[153] 14
Aug 12 16:15:42.916 CEST: RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 44
[Uniq-Sess-ID]
Aug 12 16:15:42.916 CEST: RADIUS(0000003C): Storing nasport 55 in rad_db
Aug 12 16:15:42.916 CEST: RADIUS(0000003C): Config NAS IP: 195.18.85.3
Aug 12 16:15:42.916 CEST: RADIUS/ENCODE(0000003C): acct_session_id: 60
Aug 12 16:15:42.916 CEST: RADIUS(0000003C): sending
Aug 12 16:15:42.916 CEST: RADIUS(0000003C): Send Access-Request to
195.18.104.132:1812 id 1645/71, len 114
Aug 12 16:15:42.916 CEST: RADIUS: authenticator DD 7C 9E 37 25 71 75 C1 -
3A F2 17 44 A0 BA BF E4
Aug 12 16:15:42.916 CEST: RADIUS: Framed-Protocol [7] 6 PPP
[1]
Aug 12 16:15:42.916 CEST: RADIUS: User-Name [1] 22 "
test-klant at backup.nl"
Aug 12 16:15:42.916 CEST: RADIUS: CHAP-Password [3] 19 *
Aug 12 16:15:42.916 CEST: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
Aug 12 16:15:42.916 CEST: RADIUS: NAS-Port [5] 6 55
Aug 12 16:15:42.916 CEST: RADIUS: Calling-Station-Id [31] 12
"0365465531"
Aug 12 16:15:42.916 CEST: RADIUS: Called-Station-Id [30] 11 "207300300"
Aug 12 16:15:42.916 CEST: RADIUS: Service-Type [6] 6 Framed
[2]
Aug 12 16:15:42.916 CEST: RADIUS: NAS-IP-Address [4] 6 195.18.85.3
Aug 12 16:15:42.920 CEST: RADIUS: Received from id 1645/71
195.18.104.132:1812, Access-Accept, len 150
Aug 12 16:15:42.920 CEST: RADIUS: authenticator 4B 16 16 8C 36 79 DB 45 -
61 5E D1 5D 34 51 1A 0E
Aug 12 16:15:42.920 CEST: RADIUS: Service-Type [6] 6 Framed
[2]
Aug 12 16:15:42.920 CEST: RADIUS: Framed-Protocol [7] 6 PPP
[1]
Aug 12 16:15:42.920 CEST: RADIUS: Vendor, Cisco [26] 57
Aug 12 16:15:42.920 CEST: RADIUS: Cisco AVpair [1] 51
"lcp:interface-config=ip vrf forwarding test-klant"
Aug 12 16:15:42.920 CEST: RADIUS: Vendor, Cisco [26] 55
Aug 12 16:15:42.920 CEST: RADIUS: Cisco AVpair [1] 49
"lcp:interface-config=ip unnumbered Loopback1132"
Aug 12 16:15:42.920 CEST: RADIUS: Framed-IP-Address [8] 6 192.168.2.1
Aug 12 16:15:42.920 CEST: RADIUS(0000003C): Received from id 1645/71
Aug 12 16:15:42.920 CEST: ppp55 PPP: Phase is FORWARDING, Attempting Forward
Aug 12 16:15:42.920 CEST: ppp55 PPP: Send Message[Connect Local]
Aug 12 16:15:42.920 CEST: Vi2 PPP: Phase is DOWN, Setup
Aug 12 16:15:42.920 CEST: ppp55 PPP: Bind to [Virtual-Access2]
Aug 12 16:15:42.920 CEST: Vi2 PPP: Send Message[Static Bind Response]
Aug 12 16:15:42.924 CEST: %LINK-3-UPDOWN: Interface Virtual-Access2, changed
state to up
Aug 12 16:15:42.924 CEST: Vi2 PPP: Phase is AUTHENTICATING, Authenticated
User
Aug 12 16:15:42.924 CEST: Vi2 CHAP: O SUCCESS id 2 len 4
Aug 12 16:15:43.924 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access2, changed state to up
Aug 12 16:15:52.868 CEST: Vi2 CHAP: I CHALLENGE id 86 len 41 from "
test-klant at backup.nl"
Aug 12 16:15:52.868 CEST: RADIUS/ENCODE(0000003C): sendauth, failing over
Aug 12 16:15:52.868 CEST: RADIUS/ENCODE(0000003C): send packet; BEGIN
Aug 12 16:15:52.868 CEST: Vi2 CHAP: Unable to authenticate for peer
Aug 12 16:15:52.868 CEST: Vi2 PPP: Sending Acct Event[Down] id[3C]
Aug 12 16:15:52.868 CEST: Vi2 PPP: Phase is TERMINATING
Aug 12 16:15:52.868 CEST: Vi2 LCP: O TERMREQ [Open] id 1 len 4
Aug 12 16:15:52.888 CEST: Vi2 LCP: I TERMACK [TERMsent] id 1 len 4
Aug 12 16:15:52.888 CEST: Vi2 LCP: State is Closed
Aug 12 16:15:52.888 CEST: Vi2 PPP: Phase is DOWN
Aug 12 16:15:52.888 CEST: Vi2 PPP: Send Message[Disconnect]
Aug 12 16:15:52.892 CEST: %LINK-3-UPDOWN: Interface Virtual-Access2, changed
state to down
Aug 12 16:15:53.868 CEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access2, changed state to down
------------------------
Debug radius:
rad_recv: Access-Request packet from host 195.18.85.193:1645, id=42,
length=122
User-Name = "backup.nl"
User-Password = "cisco"
NAS-Port = 20326
NAS-Port-Id = "Serial3/3:26"
NAS-Port-Type = ISDN
Calling-Station-Id = "0365465531"
Called-Station-Id = "207300300"
Connect-Info = "64000 HDLC"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 195.18.85.193
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/auth-detail-20100812'
rlm_detail: /var/log/radius/radacct/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/auth-detail-20100812
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
radius_xlat: 'backup.nl'
rlm_sql (sql): sql_set_user escaped user --> 'backup.nl'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'backup.nl' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'backup.nl' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'backup.nl' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'backup.nl' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: type Local
auth: user supplied User-Password matches local User-Password
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat: '/var/log/radius/radacct/reply-detail-20100812'
rlm_detail: /var/log/radius/radacct/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/reply-detail-20100812
modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 42 to 195.18.85.193 port 1645
Cisco-AVPair += "vpdn:tunnel-id=AS5350-All"
Cisco-AVPair += "vpdn:ip-addresses=195.18.85.3"
Cisco-AVPair += "vpdn:tunnel-type=l2tp"
Cisco-AVPair += "vpdn:l2tp-tunnel-password=cisco"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 195.18.85.3:1645, id=73,
length=114
Framed-Protocol = PPP
User-Name = "test-klant at backup.nl"
CHAP-Password = 0x02011f8ce0ed5275d50c7a786cc7e47c6b
NAS-Port-Type = Virtual
NAS-Port = 57
Calling-Station-Id = "0365465531"
Called-Station-Id = "207300300"
Service-Type = Framed-User
NAS-IP-Address = 195.18.85.3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/var/log/radius/radacct/auth-detail-20100812'
rlm_detail: /var/log/radius/radacct/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/auth-detail-20100812
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 1
radius_xlat: 'test-klant at backup.nl'
rlm_sql (sql): sql_set_user escaped user --> 'test-klant at backup.nl'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'test-klant at backup.nl' ORDER
BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '
test-klant at backup.nl' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'test-klant at backup.nl' ORDER
BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '
test-klant at backup.nl' AND usergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 1
rlm_chap: login attempt by "test-klant at backup.nl" with CHAP password
rlm_chap: Using clear text password test for user
test-klant at backup.nlauthentication.
rlm_chap: chap user test-klant at backup.nl authenticated succesfully
modcall[authenticate]: module "chap" returns ok for request 1
modcall: leaving group CHAP (returns ok) for request 1
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
radius_xlat: '/var/log/radius/radacct/reply-detail-20100812'
rlm_detail: /var/log/radius/radacct/reply-detail-%Y%m%d expands to
/var/log/radius/radacct/reply-detail-20100812
modcall[post-auth]: module "reply_log" returns ok for request 1
modcall: leaving group post-auth (returns ok) for request 1
Sending Access-Accept of id 73 to 195.18.85.3 port 1645
Service-Type := Framed-User
Framed-Protocol := PPP
Cisco-AVPair += "lcp:interface-config#1=ip vrf forwarding
test-klant"
Cisco-AVPair += "lcp:interface-config#2=ip vrf forwarding
test-klant"
Finished request 1
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 42 with timestamp 4c64044c
Cleaning up request 1 ID 73 with timestamp 4c64044c
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 195.18.85.193:1646, id=43,
length=263
Acct-Session-Id = "00000114"
Framed-Protocol = PPP
Tunnel-Medium-Type:0 = IP
Tunnel-Client-Endpoint:0 = "195.18.85.193"
Tunnel-Server-Endpoint:0 = "195.18.85.3"
Tunnel-Type:0 = L2TP
Acct-Tunnel-Connection = "1057600042"
Tunnel-Client-Auth-Id:0 = "AS5350-All"
Tunnel-Server-Auth-Id:0 = "asd-cap-dr03"
User-Name = "test-klant at backup.nl"
Acct-Authentic = RADIUS
Acct-Session-Time = 10
Acct-Input-Octets = 53
Acct-Output-Octets = 16
Acct-Input-Packets = 2
Acct-Output-Packets = 2
Acct-Terminate-Cause = Host-Request
Acct-Status-Type = Stop
NAS-Port = 20326
NAS-Port-Id = "Serial3/3:26"
NAS-Port-Type = ISDN
Calling-Station-Id = "0365465531"
Called-Station-Id = "207300300"
Connect-Info = "64000 HDLC"
Service-Type = Framed-User
NAS-IP-Address = 195.18.85.193
Acct-Delay-Time = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 2
modcall[preacct]: module "preprocess" returns noop for request 2
rlm_acct_unique: Hashing 'NAS-Port = 20326,Client-IP-Address =
195.18.85.193,NAS-IP-Address = 195.18.85.193,Acct-Session-Id =
"00000114",User-Name = "test-klant at backup.nl"'
rlm_acct_unique: Acct-Unique-Session-ID = "76ea71aaa12d8845".
modcall[preacct]: module "acct_unique" returns ok for request 2
modcall: leaving group preacct (returns ok) for request 2
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 2
radius_xlat: '/var/log/radius/radacct/detail-20100812'
rlm_detail: /var/log/radius/radacct/detail-%Y%m%d expands to
/var/log/radius/radacct/detail-20100812
modcall[accounting]: module "detail" returns ok for request 2
modcall[accounting]: module "unix" returns ok for request 2
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'test-klant at backup.nl'
rlm_radutmp: Logout for NAS asd-tc3-ap01 port 20326, but no Login record
modcall[accounting]: module "radutmp" returns ok for request 2
radius_xlat: 'test-klant at backup.nl'
rlm_sql (sql): sql_set_user escaped user --> 'test-klant at backup.nl'
radius_xlat: 'UPDATE radacct SET AcctStopTime = '2010-08-12 16:25:26',
AcctSessionTime = '10', AcctInputOctets = '53', AcctOutputOctets = '16',
AcctTerminateCause = 'Host-Request', AcctStopDelay = '0', ConnectInfo_stop =
'64000 HDLC' WHERE AcctSessionId = '00000114' AND UserName = '
test-klant at backup.nl' AND NASIPAddress = '195.18.85.193''
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay) values('00000114', '76ea71aaa12d8845', '
test-klant at backup.nl', '', '195.18.85.193', '20326', 'ISDN',
DATE_SUB('2010-08-12 16:25:26', INTERVAL (10 + 0) SECOND), '2010-08-12
16:25:26', '10', 'RADIUS', '', '64000 HDLC', '53', '16', '207300300',
'0365465531', 'Host-Request', 'Framed-User', 'PPP', '', '0', '0')'
rlm_sql (sql): Released sql socket id: 2
modcall[accounting]: module "sql" returns ok for request 2
modcall: leaving group accounting (returns ok) for request 2
Sending Accounting-Response of id 43 to 195.18.85.193 port 1646
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 43 with timestamp 4c640456
Nothing to do. Sleeping until we see a request.
-------------------
Database entries MySQL:
mysql> select * from radcheck where UserName = 'backup.nl';
+------+-----------+-----------+----+-------+
| id | UserName | Attribute | op | Value |
+------+-----------+-----------+----+-------+
| 1445 | backup.nl | Password | == | cisco |
+------+-----------+-----------+----+-------+
1 row in set (0.00 sec)
mysql> select * from radreply where UserName = 'backup.nl';
+------+-----------+--------------+----+---------------------------------+
| id | UserName | Attribute | op | Value |
+------+-----------+--------------+----+---------------------------------+
| 2246 | backup.nl | Cisco-AVPair | += | vpdn:tunnel-id=AS5350-All |
| 2247 | backup.nl | Cisco-AVPair | += | vpdn:ip-addresses=195.18.85.3 |
| 2248 | backup.nl | Cisco-AVPair | += | vpdn:tunnel-type=l2tp |
| 2249 | backup.nl | Cisco-AVPair | += | vpdn:l2tp-tunnel-password=cisco |
+------+-----------+--------------+----+---------------------------------+
4 rows in set (0.00 sec)
mysql> select * from radcheck where UserName = 'test-klant at backup.nl';
+------+----------------------+-----------+----+-------+
| id | UserName | Attribute | op | Value |
+------+----------------------+-----------+----+-------+
| 1444 | test-klant at backup.nl | Password | == | test |
+------+----------------------+-----------+----+-------+
1 row in set (0.00 sec)
mysql> select * from radreply where UserName = 'test-klant at backup.nl';
+------+----------------------+-------------------+----+-----------------------------------------------------+
| id | UserName | Attribute | op | Value
|
+------+----------------------+-------------------+----+-----------------------------------------------------+
| 2231 | test-klant at backup.nl | Service-Type | := | Framed-User
|
| 2250 | test-klant at backup.nl | Framed-Protocol | := | PPP
|
| 2263 | test-klant at backup.nl | Cisco-AVPair | += |
lcp:interface-config#1=ip vrf forwarding test-klant |
| 2264 | test-klant at backup.nl | Cisco-AVPair | += |
lcp:interface-config#2=ip vrf forwarding test-klant |
+------+----------------------+-------------------+----+-----------------------------------------------------+
4 rows in set (0.00 sec)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100812/c7f29352/attachment.html>
-------------- next part --------------
version 12.4
no parser cache
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname asd-tc3-ap01
!
boot-start-marker
no boot startup-test
boot-end-marker
!
enable secret <removed>
!
!
!
resource-pool disable
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication ppp default group radius
aaa authorization exec default local group tacacs+
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default stop-only group radius
aaa accounting connection default start-stop group radius
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
tdm clock priority 1 3/0
calltracker enable
calltracker history max-size 30
calltracker call-record verbose
spe call-record modem
!
spe default-firmware spe-firmware-1
ds0 busyout-threshold 12
no ip source-route
ip cef
no ip domain lookup
!
!
multilink bundle-name authenticated
vpdn enable
vpdn multihop
vpdn source-ip 195.18.85.193
vpdn search-order domain
!
isdn switch-type primary-net5
isdn voice-call-failure 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username beheer secret <removed>
username asd-cap-dr03 password 7 110A1016141D
archive
log config
hidekeys
!
!
!
!
controller E1 3/0
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 3/1
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 3/2
shutdown
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 3/3
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 3/4
shutdown
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 3/5
shutdown
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 3/6
shutdown
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 3/7
shutdown
framing NO-CRC4
pri-group timeslots 1-31
!
!
!
!
interface Loopback0
description *** Management loopback ***
ip address 10.8.7.1 255.255.255.255
no ip mroute-cache
!
interface Loopback1
description *** VPDN-Tunnel termination & Radius Source IP ***
ip address 195.18.85.193 255.255.255.255
!
interface FastEthernet0/0
description *** Trunk to: asd-cap-as04 - Gi1/0/28 ***
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.54
description *** Radius LAN ***
encapsulation dot1Q 54
ip address 195.18.104.134 255.255.255.248
!
interface FastEthernet0/0.1503
description *** VPDN VLAN ***
encapsulation dot1Q 1503
ip address 172.31.255.2 255.255.255.248
!
interface FastEthernet0/0.1504
description *** Management VLAN ***
encapsulation dot1Q 1504
ip address 10.17.0.4 255.255.255.248
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial3/0
no ip address
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial3/0:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/1:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/2:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/3:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/4:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/5:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/6:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
no cdp enable
!
interface Serial3/7:15
no ip address
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
no keepalive
no fair-queue
no cdp enable
!
interface Dialer1
no ip address
encapsulation ppp
no ip mroute-cache
dialer in-band
dialer idle-timeout 43200
dialer-group 1
no peer default ip address
no fair-queue
no cdp enable
ppp authentication chap callin
ppp multilink bap
ppp multilink fragment delay 500
ppp timeout retry 1
!
interface Group-Async0
no ip address
encapsulation ppp
ip tcp header-compression
no ip mroute-cache
async mode dedicated
peer default ip address pool DIALUP
ppp authentication pap chap callin
ppp timeout retry 1
group-range 1/00 2/107
!
ip forward-protocol nd
!
ip tacacs source-interface Loopback0
no ip http server
no ip http secure-server
!
!
ip radius source-interface Loopback1
dialer-list 1 protocol ip permit
!
!
tacacs-server host <removed>
tacacs-server timeout 2
tacacs-server directed-request
tacacs-server key <removed>
!
radius-server host 195.18.104.132 auth-port 1812 acct-port 1813
radius-server host 195.18.104.138 auth-port 1812 acct-port 1813
radius-server deadtime 20
radius-server key <removed>
!
!
voice-port 3/0:D
!
voice-port 3/1:D
!
voice-port 3/2:D
!
voice-port 3/3:D
!
voice-port 3/4:D
!
voice-port 3/5:D
!
voice-port 3/6:D
!
voice-port 3/7:D
!
!
!
!
!
ss7 mtp2-variant Bellcore 0
ss7 mtp2-variant Bellcore 1
ss7 mtp2-variant Bellcore 2
ss7 mtp2-variant Bellcore 3
!
line con 0
exec-timeout 60 0
login authentication CONSOLE
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 60
access-class 1 in
exec-timeout 60 0
transport preferred ssh
transport input ssh
transport output telnet ssh
line 1/00 2/107
no motd-banner
no exec-banner
no flush-at-activation
modem InOut
autocommand ppp negotiate
transport input all
autoselect during-login
autoselect ppp
autohangup
!
scheduler allocate 10000 400
end
-------------- next part --------------
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname asd-cap-dr03
!
boot-start-marker
boot system disk0:/c7200-jk9s-mz.123-20.bin
boot-end-marker
!
logging buffered 65535 debugging
enable secret <removed>
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE local
aaa authentication ppp default group radius local
aaa authentication ppp PPP-ISDN local group radius
aaa authorization exec default local group tacacs+
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group radius
aaa authorization network PPP-ISDN group radius
aaa accounting delay-start
aaa session-id common
ip subnet-zero
ip flow-cache timeout active 1
!
!
ip tcp path-mtu-discovery
ip telnet source-interface Loopback0
ip tftp source-interface Loopback0
no ip ftp passive
no ip domain lookup
!
no ip bootp server
!
ip vrf test-klant
rd 8608:140
import map radius-import
route-target export 8608:140
route-target import 8608:140
route-target import 8608:90
!
ip cef
virtual-profile virtual-template 2
vpdn enable
vpdn multihop
vpdn source-ip 195.18.85.3
vpdn search-order domain
vpdn domain-delimiter / suffix
!
vpdn-group 1
description *** VPDN-Tunnel from asd-tc3-ap01 & ap02 ***
accept-dialin
protocol l2tp
virtual-template 2
terminate-from hostname AS5350-All
l2tp tunnel password 7 030752180500
!
clns routing
no tag-switching ip propagate-ttl forwarded
tag-switching tdp router-id Loopback0
!
!
!
!
!
!
!
!
!
!
!
!
username beheer secret <removed>
username asd-tc3-ap01 password 7 121A0C041104
username AS5350-All password 7 00071A150754
!
!
!
!
!
!
interface Loopback0
description *** management & routing loopback ***
ip address 10.8.1.6 255.255.255.255
!
interface Loopback1
description *** VPDN-Tunnel termination & Radius Source IP ***
ip address 195.18.85.3 255.255.255.255
!
interface Loopback1132
description *** Customer Loopback ***
ip vrf forwarding test-klant
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
description *** To asd-cap-as01-gi1-0-5 [10.10.3.1] (jja:10/08/2010) ***
ip address 10.10.3.3 255.255.255.0
ip router isis
load-interval 30
duplex full
mpls label protocol ldp
tag-switching mtu 1536
tag-switching ip
isis circuit-type level-1
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
!
interface FastEthernet2/0
no ip address
shutdown
duplex half
!
interface FastEthernet3/0
description *** To asd-cap-as02-gi1-0-5 [10.10.4.4] (mbu:05/07/2010) ***
ip address 10.10.4.1 255.255.255.0
ip router isis
load-interval 30
duplex full
mpls label protocol ldp
tag-switching mtu 1536
tag-switching ip
isis circuit-type level-1
!
interface FastEthernet4/0
description *** To asd-cap-as04-gi1-0-6 (mbu:09/07/2010) ***
no ip address
duplex full
!
interface FastEthernet4/0.54
description *** To Radius-LAN ***
encapsulation dot1Q 54
ip address 195.18.104.133 255.255.255.248
!
interface FastEthernet4/0.1503
description *** VPDN Tunnel Terminatie ***
encapsulation dot1Q 1503
ip address 172.31.255.1 255.255.255.248
!
interface Virtual-Template2
description *** Test with Radius-Auth. ***
ip unnumbered Loopback1
ip tcp header-compression iphc-format
mpls label protocol ldp
tag-switching ip
no peer default ip address
ppp authentication chap
ppp multilink
ppp multilink fragment delay 17
ppp multilink interleave
ppp multilink multiclass
ip rtp header-compression iphc-format
!
router isis
net 49.21a0.0001.0100.0800.1006.00
is-type level-1
metric-style wide
max-lsp-lifetime 65535
no hello padding
log-adjacency-changes all
redistribute connected route-map REDIST_CONNECTED_TO_ISIS level-1
redistribute static ip route-map REDIST_STATIC_TO_ISIS level-1
passive-interface Loopback0
!
router bgp 8608
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor VPNv4-RR peer-group
neighbor VPNv4-RR remote-as 8608
neighbor VPNv4-RR update-source Loopback0
neighbor 10.8.0.15 peer-group VPNv4-RR
neighbor 10.8.1.11 peer-group VPNv4-RR
neighbor 10.8.2.11 peer-group VPNv4-RR
!
address-family ipv4
redistribute connected
redistribute static
no auto-summary
no synchronization
bgp dampening 1
exit-address-family
!
address-family vpnv4
neighbor VPNv4-RR send-community extended
neighbor 10.8.0.15 activate
neighbor 10.8.1.11 activate
neighbor 10.8.2.11 activate
bgp dampening 1
exit-address-family
!
address-family ipv4 vrf test-klant
redistribute connected
redistribute static
no auto-summary
no synchronization
bgp dampening 1
exit-address-family
!
ip classless
ip route 195.18.85.193 255.255.255.255 172.31.255.2
no ip http server
no ip http secure-server
ip tacacs source-interface Loopback0
!
ip extcommunity-list 1 permit rt 8608:1
ip extcommunity-list 2 permit rt 8608:90
ip bgp-community new-format
!
!
ip prefix-list DENY_DEFAULT_ONLY seq 10 deny 0.0.0.0/0
ip prefix-list DENY_DEFAULT_ONLY seq 20 permit 0.0.0.0/0 le 32
!
ip prefix-list PERMIT_DEFAULT_ONLY seq 10 permit 0.0.0.0/0
ip prefix-list PERMIT_DEFAULT_ONLY seq 65000 deny 0.0.0.0/0 le 32
!
ip prefix-list REDIST_CONNECTED_TO_ISIS seq 10 permit 10.8.1.6/32
ip prefix-list REDIST_CONNECTED_TO_ISIS seq 65000 deny 0.0.0.0/0 le 32
!
ip prefix-list REDIST_STATIC_TO_ISIS seq 65000 deny 0.0.0.0/0 le 32
!
ip access-list standard mplsvpn-beheer-routes
<removed>
ip access-list standard radius-routes
permit 195.18.104.128 0.0.0.7
ip radius source-interface Loopback1
!
route-map REDIST_CONNECTED_TO_ISIS permit 10
match ip address prefix-list REDIST_CONNECTED_TO_ISIS
!
route-map radius-import permit 10
match ip address radius-routes
match extcommunity 2
!
route-map REDIST_STATIC_TO_ISIS permit 10
match ip address prefix-list REDIST_STATIC_TO_ISIS
!
route-map PERMIT_DEFAULT_ONLY permit 10
match ip address prefix-list PERMIT_DEFAULT_ONLY
!
route-map DENY_DEFAULT_ONLY deny 10
match ip address prefix-list DENY_DEFAULT_ONLY
!
route-map mplsvpn-beheer-import permit 10
match ip address mplsvpn-beheer-routes
match extcommunity 1
!
route-map mplsvpn-beheer-import deny 20
match extcommunity 1
!
route-map mplsvpn-beheer-import permit 30
!
tacacs-server host <removed>
tacacs-server timeout 2
tacacs-server directed-request
tacacs-server key <removed>
!
radius-server host 195.18.104.132 auth-port 1812 acct-port 1813
radius-server deadtime 20
radius-server key 7 021201481F0D0A38
!
!
!
!
gatekeeper
shutdown
!
line con 0
exec-timeout 60 0
login authentication CONSOLE
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 60
access-class 1 in
exec-timeout 60 0
transport input ssh
transport output telnet ssh
!
-------------- next part --------------
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
!
hostname alr-xbn-oob01
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384
enable secret <removed>
!
aaa new-model
!
!
aaa authentication login default local group tacacs+
aaa authentication login CONSOLE local
aaa authentication login ADMIN group tacacs+ local
aaa authentication ppp default local
aaa authorization exec default local group tacacs+
aaa accounting commands 1 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa accounting network default
action-type start-stop
group tacacs+
!
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
isdn switch-type basic-net3
isdn tei-negotiation first-call
!
!
username beheer <removed>
username asd-cap-dr03 password 7 09584B1A0D
!
!
!
archive
log config
hidekeys
!
!
ip tftp source-interface Loopback0
!
!
!
interface Loopback0
description *** Management Loopback ***
ip address 1.1.1.1 255.255.255.255
!
interface Loopback100
ip address 192.168.2.1 255.255.255.255
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/35
oam-pvc manage 5
encapsulation aal5snap
protocol ppp Virtual-Template1
!
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
isdn point-to-point-setup
isdn send-alerting
isdn reject voice
isdn reject vod
isdn reject v120
isdn reject v110
isdn reject piafs
no cdp enable
ppp authentication chap
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback0
ppp multilink
!
interface Vlan1
no ip address
!
interface Dialer10
ip unnumbered Loopback100
encapsulation ppp
dialer pool 1
dialer string 0207300300
dialer-group 10
no cdp enable
ppp chap hostname test-klant at backup.nl
ppp chap password 7 03105E1812
ppp multilink
ppp multilink load-threshold 200 outbound
!
ip forward-protocol nd
ip route 192.168.1.1 255.255.255.255 Dialer10
no ip http server
no ip http secure-server
!
!
ip tacacs source-interface Loopback0
!
dialer-list 10 protocol ip permit
no cdp run
!
More information about the Freeradius-Users
mailing list