Freeradius with LNS & Provider BRAS

Neil Morris nmorris at tibus.com
Fri Sep 11 17:34:13 CEST 2015


Thanks Alan.


Here¹s the thing..  My SP tell me I am sending the the correct details, its
just that the info for the specific user that they tell me is whats causing
the issue..

I have take some of my config from the following link¹
https://supportforums.cisco.com/discussion/11294066/session-vrf-mpls-vpn-usi
ng-radius-attribute

Using the users file how to I separate the radcheck / radreply sections as
this to appears to be part if not all of my issue

Kind Regards,

Neil 


From:  Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
Date:  Friday, 11 September 2015 15:27
To:  FreeRadius users mailing list <freeradius-users at lists.freeradius.org>,
Neil Morris <nmorris at tibus.com>
Subject:  Re: Freeradius-Users Digest, Vol 125, Issue 34

You aren't sending them what they request. Read your email and see the
differences eg service-type

Alan


From: Neil Morris <nmorris at tibus.com>
Date: Friday, 11 September 2015 15:02
To: <freeradius-users at lists.freeradius.org>
Subject:  Re: Freeradius with LNS & Provider BRAS

 Alan,

Firstly thanks for you responses to date! I do appreciate it..

Apologies for the lack of detailŠ  here is more info

FreeRADIUS Version 2.1.12

I have deployed using just the local users file with x3 test accounts
including the information that the provider has requested I respond with to
complete the auth between our LNS and their BRAS.

I had x1 connection up and stable for 3weeks.  I shipped out x2 more routers
and I start to see some strange behaviour.  FR authenticates the session
fine but on the router console the interface is reset straight away and so
the loop of authentication continues.  Running FR in debug/verbose I can see
the sessions being authenticated as I would expect with all of the relevant
user attributes being passed.

The below is what the SP has requested I return to their BRAS;

mydom.net.uk Cleartext-Password := ³password"
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Medium-Type = IP,
Tunnel-Password = password,
Tunnel-Server-Endpoint = 89.x.y.134,
Tunnel-Client-Auth-ID = ³MY-LNS"


The following is an example of a user account and the Cisco AVP that I am
sending;

test at mydom.net.uk Cleartext-Password := ³test"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1440,
Framed-IP-Address = 10.31.253.253,
Framed-IP-Netmask = 255.255.255.255,
Framed-Route = "0.0.0.0 0.0.0.0 89.x.y.134",
Cisco-AVPair = "ip:vrf-id=VRF_417858",
Cisco-Avpair += "ip:route#1=vrf VRF_417858 10.31.249.0 255.255.255.0
10.31.253.253 tag 417858",
Cisco-AVPair += "ip:ip-unnumbered=Loopback417858"

The SP is advising me that from their debugs I am sending them everything
after the username & password as listed above..

They mention that I should have 2 instances for RADIUS or that I change the
radius system I use..

Regards
Neil


Message: 5
Date: Fri, 11 Sep 2015 08:19:56 -0400
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: Freeradius with LNS & Provider BRAS
Message-ID: <D70545FB-75A6-41F2-8E25-4E3FE3E06CC0 at deployingradius.com>
Content-Type: text/plain; charset=iso-8859-1

On Sep 11, 2015, at 7:09 AM, Neil Morris <nmorris at tibus.com> wrote:
> I am looking for some guidance.  I am using the users file which contains x3
> user accounts aswell as the domain suffix & the necessary authentication
> details for the providers RADIUS server. Under the user accounts I have a
> number of cisco avp with VRF & static address etc for the LNS

  That's a bit vague, but OK.

> Whoever ­ The provider is telling me that I am passing all the LNS relate
> info to their RADIUS which is causing the tunnel build to fail.

  That's even more vague.

>   Is there
> something major that I am missing here in relation to my config?

  A good description of the problem?

  Alan DeKok.




------------------------------





More information about the Freeradius-Users mailing list