AAA methods list on CATOS?
Hi all,
I currently have in place wired Dot1x on an IOS switch. I have the following method list configured.
AAA new-model
AAA group server radius radserv
Server XX.XX.XX.XX
AAA authentication dot1x default group radserv none
As I understand it, this config with the none will allow the wired users to stay connected if in the event the RADIUS servers become unavailable.
My question is how can do I do this on a CATOS switch? Can I achieve the same fallback method.
Thanks for any help.
Hi David,
In CatOS, I think it's a bit different from IOS. It does not have the feature you're looking at, but it can be done in other way.
You probably need to play around with the supplicant (client or host) reauthentication.
http://www.cisco.com/en/US/partner/products/hw/switches/ps679/products_configuration_guide_chapter09186a008007f7c8.html#26172
Rgds,
AK
Similar Messages
-
AAA authentication not working and 'default' method list
Guys,
I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
Config
aaa new-model
username admin privilege 15 secret 5 xxxxxxxxxx.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization reverse-access default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 0006140E54xxxxxxxxxx
ip tacacs source-interface Vlan200
Debugs
002344: Dec 5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
002345: Dec 5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
002346: Dec 5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
core01#
002347: Dec 5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
002348: Dec 5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
Enter configuration commands, one per line. End with CNTL/Z.
core01(config)#
002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
core01(config)#Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
As rick suggested sh tacacs would be good as well. That would show failures and successes
HTH
Kishore -
Role-Based CLI Views with AAA method
Hi,
I'm configuring Role-Based CLI Views on a router for limiting access to users.
My criteria:
- There should be a local user account on the router that has the view 'service' attached to it
- If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
My configuration:
aaa new-model
enable secret 1234
username service view service secret 1234
aaa group server radius my_radius
server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
aaa authorization console
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh
The ERROR
Now I want to go configure the cli view 'service'...
# enable view
Password: 1234
*Jun 1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
*Jun 1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
*Jun 1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
*Jun 1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
The Questions
Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
Can you change this behaviour to always use the enable secret?
The TEMP Solution
If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
aaa authentication login VIEW_CONFG local
line vty 0 4
login authentication VIEW_CONFG
Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
Thanks so much for the suggestions
/JZNhi,
You have the following configured:
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh
Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login authentication mgmt".
You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
enable seceret will be locally defined. but you have the following configured:
aaa authorization exec mgmt group my_radius local
line con 0
authorization exec mgmt
line vty 0 4
authorization exec mgmt
Hence exec mode will also be done via radius server.
when you configure:
aaa authentication login VIEW_CONFG local
line vty 0 4
login authentication VIEW_CONFG
You are making the authentication local, hence it is working the way you want.
In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
Duplicate method list on Concurrent Request
Hi all,
We have this simple webservice that gets the sum and difference of 2 numbers. It works fine for single, "one after the other" request.
Environment:
Windows XP
Java 1.4
Tiried Axis 1.1 and Axis 1.4
Tomcat 5.5.9
I created a test client that spawns x number of threads and request the page where all the services are listed(http://localhost:8080/WebServiceDemo/Services).
For a single thread we get this...
getSum
getDifference
but for multiple threads...the results vary but most of the time we get something like
getSum
getSum
getDifference
getDifference
We're not sure what's happening. We're thinking that axis might be having difficulties handling concurrent request. Has anyone encountered this? Hopefully the solution is not so painful.
ThanksBump,
Tried running this against Axis default methods and we're still getting the same error. -
This problem started last evening when I tried to close Firefox. Normally the program asks if I want it to remember the current tabs. If there are multiple copies open (or some flyer window pops up that I did not see), then I get the "you are about to close xx tabs". This usually means I have to close the odd flyer window then I can close normally.
This did not happen last evening - just got the "you are about to close xx tabs" right off. See below for steps I took.If you haven't tried this, give it a try. It worked for me, hopefully it will work for you. In your version 3 firefox, disable all extensions, I had two plugins (doubletwist and joost, disable those if you have them). Then install firefox 5 by overwriting your version 3 firefox. It should work fine after that. I tried everything before, I gave that a last ditch shot. Oh yeah, before you install firefox 5, clear your cache of everything just to be sure.
Hopefully that helps. -
AAA Authorization named authorization list
Ladies and Gents,
Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
Cisco.com extract below
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
My question is how do you define the Named Method List i.e. the none-default method list?
I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
Thanks in advance
DavidHi David,
An example of a named AAA list might look something like this:
aaa authorization exec TacExec group AAASrv local
In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
Below is a cut and paste from the AAA section on one of my devices:
aaa new-model
ip tacacs source-interface
tacacs-server host 10.x.x.x key 7
tacacs-server host 10.x.x.y key 7
aaa group server tacacs+ TacSrvGrp
server 10.x.x.x
server 10.x.x.y
aaa authentication login default local
aaa authentication login TacLogin group TacSrvGrp local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec TacAuth group TacSrvGrp local
aaa authorization commands 0 default local
aaa authorization commands 0 TacCommands0 group TacSrvGrp local
aaa authorization commands 1 default local
aaa authorization commands 1 TacCommands1 group TacSrvGrp local
aaa authorization commands 15 default local
aaa authorization commands 15 TacCommands15 group TacSrvGrp local
aaa accounting exec default start-stop group TacSrvGrp
aaa accounting commands 15 default start-stop group TacSrvGrp
aaa session-id common
Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
line con 0
exec-timeout 5 0
line aux 0
exec-timeout 5 0
line vty 0 4
exec-timeout 15 0
authorization commands 0 TacCommands0
authorization commands 1 TacCommands1
authorization commands 15 TacCommands15
authorization exec TacAuth
login authentication TacLogin
transport input ssh
For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
Hope this helps! -
Multiple SSH listening ports on Catalyst switches
Hi community,
On Cisco Routers you have the option to configure multiple SSH ports (instead of the default tcp 22) in combination with rotary groups. Then, attach these rotary groups to specific VTY lines.This works just fine.
But, it seems on Cisco switches, you can not define different SSH ports. The command Router(config)#ip ssh port portnum rotary group is not available. You can use the rotary statement on the VTY lines, but this works only for Telnet connections.
Does anyone know, if it's possible to use the rotary groups on switches with SSH? The goal which I am trying to achieve is, I want to use multiple AAA method lists, and define these under specific VTY lines. That way, I am able to designate specific users, connecting from specific IP addresses, on a dedicated VTY line, with a custom AAA method list.
Any help is much appreciated!
Kind regards,
Dion DohmenHi,
I am currently using 12.2(58)SE2 on the 3560.
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1)
I downgraded my IOS to check if it's still supported for the 3560 on 12.2(55)SE1 and it's not.
XXX uptime is 1 minute
System returned to ROM by power-on
System restarted at 14:38:50 GMT Tue Jul 29 2014
System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE1.bin"
XXX(config)#ip ssh ?
authentication-retries Specify number of authentication retries
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
precedence IP Precedence value for SSH traffic
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version supported
XXX(config)#ip ssh
I then upgraded to 12.2(55)SE9 and it's still not supported.
XXX uptime is 1 minute
System returned to ROM by power-on
System restarted at 14:47:49 GMT Tue Jul 29 2014
System image file is "flash:/c3560-ipservicesk9-mz.122-55.SE9.bin"
XXX(config)#ip ssh ?
authentication-retries Specify number of authentication retries
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
precedence IP Precedence value for SSH traffic
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version supported
XXX(config)#ip ssh
I would recommend that you upgrade but I don't see any point unfortunately.
Thanks,
Nehmaan -
Hello. Just starting with ISG.
My final goal is to force ISG device to periodically check if user still has access to the service without interrupting pppoe session. if user access should be prohibited by some reason, he should be redirected to billing web-page.
First step is to make periodic check part.
Here is user profile:
user1 Cleartext-Password := "user1"
Cisco-Account-Info += "AANY",
Cisco-Control-Info += "QV1000000",
Cisco-Account-Info += "QU;10240000;D;10240000",
ANY Cleartext-Password := "cisco", Service-Type == Outbound-User
Cisco-AVPair += "ip:traffic-class=in access-group name CM_T_ANY",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group name CM_T_ANY",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVPair += "prepaid-config=PREPAID",
Here is ASR 1002X , 03.10.03.S software:
aaa authentication ppp FREERADIUS group freeradius
aaa authorization network FREERADIUS group freeradius
aaa authorization subscriber-service FREERADIUS local group freeradius
aaa accounting network FREERADIUS start-stop group freeradius
aaa group server radius freeradius
server-private 10.0.6.10 auth-port 1812 acct-port 1813 key 7 142417081E013E
subscriber feature prepaid PREPAID
threshold time 0 seconds
threshold volume 1 Kbytes
interim-interval 1 minutes
method-list author FREERADIUS
method-list accounting FREERADIUS
password cisco
User is authenticated, service downloaded but no periodical checks coming to RADIUS and no quota get depleted.
What am i doing wrong?
asr-1002x-01#show subscriber session username user1 detailed
Type: PPPoE, UID: 200, State: authen, Identity: user1
IPv4 Address: 192.168.128.127
IPv6 Address: 2A01:8960:4::
Session Up-time: 00:22:11, Last Changed: 00:22:11
Interface: Virtual-Access2.1
Switch-ID: 4677
Policy information:
Context 7FBB6473CB60: Handle A80009BE
AAA_id 00001B1F: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
ssg-account-info 0 "AANY"
ssg-control-info 0 "QV1000000"
ssg-account-info 0 "QU;10240000;D;10240000"
prefix 0 00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
Interface-Id 0 00 00 00 00 00 00 00 01
route 0 "2a01:8960:5::/56"
delegated-prefix 0 00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
Downloaded User profile, including services:
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
ssg-account-info 0 "AANY"
ssg-control-info 0 "QV1000000"
ssg-account-info 0 "QU;10240000;D;10240000"
prefix 0 00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
Interface-Id 0 00 00 00 00 00 00 00 01
route 0 "2a01:8960:5::/56"
delegated-prefix 0 00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Unapplied) (Service)
Profile name: ANY, 3 references
traffic-class 0 "in access-group name CM_T_ANY"
traffic-class 0 "in default drop"
traffic-class 0 "out access-group name CM_T_ANY"
traffic-class 0 "out default drop"
Access-type: Web-service-logon Client: SM
Policy event: Process Config Connecting (Service)
Profile name: ANY, 3 references
traffic-class 0 "in access-group name CM_T_ANY"
traffic-class 0 "in default drop"
traffic-class 0 "out access-group name CM_T_ANY"
traffic-class 0 "out default drop"
Access-type: PPP Client: SM
Policy event: Process Config Connecting
Profile name: apply-config-only, 2 references
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
ssg-account-info 0 "AANY"
ssg-control-info 0 "QV1000000"
ssg-account-info 0 "QU;10240000;D;10240000"
prefix 0 00 40 2A 01 89 60 00 04 00 00 00 00 00 00 00 00 00 00
Interface-Id 0 00 00 00 00 00 00 00 01
route 0 "2a01:8960:5::/56"
delegated-prefix 0 00 38 2A 01 89 60 00 05 00 00 00 00 00 00 00 00 00 00
Rules, actions and conditions executed:
subscriber rule-map default-internal-rule
condition always event service-start
1 service-policy type service identifier service-name
subscriber rule-map default-internal-rule
condition always event service-stop
1 service-policy type service unapply identifier service-name
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 229275 13175066 0 Match Any
1 Out 714381 1038574772 0 Match Any
Features:
Static Routes:
Class-id Configuration Status Source
0 This feature is enabled Peruser
Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
0 In 10240000 1920000 3840000 Peruser
1 Out 10240000 1920000 3840000 Peruser
DHCPv6 PD from AAA:
Class-id Configuration Status Source
0 This feature is enabled Peruser
Configuration Sources:
Type Active Time AAA Service ID Name
USR 00:22:11 - Peruser
INT 00:22:11 - Virtual-Template2I tried not specifying quota, but NAS never ask RADIUS for it.
For all my experiments i'm using second bba group with second virtual template and FREERADUIS aaa list.
Here's debugs:
Nov 26 08:55:57: SSS PM: ANCP not enabled on 'TenGigabitEthernet0/1/0.299' - not retrieving default shaper value
Nov 26 08:55:59: RADIUS/ENCODE(00001B97):Orig. component type = PPPoE
Nov 26 08:55:59: RADIUS: DSL line rate attributes successfully added
Nov 26 08:55:59: RADIUS(00001B97): Config NAS IP: 10.0.6.21
Nov 26 08:55:59: RADIUS(00001B97): Config NAS IPv6: ::
Nov 26 08:55:59: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Nov 26 08:55:59: RADIUS/ENCODE(00001B97): acct_session_id: 7072
Nov 26 08:55:59: RADIUS(00001B97): sending
Nov 26 08:55:59: RADIUS(00001B97): Send Access-Request to 10.0.6.10:1812 id 1645/156, len 138
Nov 26 08:55:59: RADIUS: authenticator DD A0 1E 36 65 E4 E6 38 - B0 10 9F 51 6A 11 24 09
Nov 26 08:55:59: RADIUS: Framed-Protocol [7] 6 PPP [1]
Nov 26 08:55:59: RADIUS: User-Name [1] 7 "user1"
Nov 26 08:55:59: RADIUS: CHAP-Password [3] 19 *
Nov 26 08:55:59: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Nov 26 08:55:59: RADIUS: NAS-Port [5] 6 0
Nov 26 08:55:59: RADIUS: NAS-Port-Id [87] 11 "0/1/0/299"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 41
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 35 "client-mac-address=000c.2964.a91e"
Nov 26 08:55:59: RADIUS: Service-Type [6] 6 Framed [2]
Nov 26 08:55:59: RADIUS: NAS-IP-Address [4] 6 10.0.6.21
Nov 26 08:55:59: RADIUS: Acct-Session-Id [44] 10 "00001BA0"
Nov 26 08:55:59: RADIUS(00001B97): Sending a IPv4 Radius Packet
Nov 26 08:55:59: RADIUS(00001B97): Started 5 sec timeout
Nov 26 08:55:59: RADIUS: Received from id 1645/156 10.0.6.10:1812, Access-Accept, len 44
Nov 26 08:55:59: RADIUS: authenticator 3C 62 99 46 6E BA 39 24 - AB CF A6 D4 12 83 2D B8
Nov 26 08:55:59: RADIUS: Framed-Protocol [7] 6 PPP [1]
Nov 26 08:55:59: RADIUS: Service-Type [6] 6 Framed [2]
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 12
Nov 26 08:55:59: RADIUS: ssg-account-info [250] 6 "AANY"
Nov 26 08:55:59: RADIUS(00001B97): Received from id 1645/156
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Authen status update; is now "authen"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: assert authen status "authen"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: send event Session Update
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: with username "user1"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Session activation: ok
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Username key not found in set domain key API
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Username key does not have a delimiter in set domain key API
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Client block is NULL in get client block with handle 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Updated key list:
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: AAA-Attr-List = 3A001B08
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Framed-Protocol 0 1 [PPP]
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: service-type 0 2 [Framed]
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ssg-account-info 0 "AANY"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Access-Type = 0 (PPP)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Session-Handle = 3472884087 (CF000177)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SHDB-Handle = 3388997707 (CA00004B)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Input Interface = "TenGigabitEthernet0/1/0.299"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Converted-Session = 0 (NO)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Media-Type = 1 (Ethernet)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Authen-Status = 0 (Authenticated)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Nasport = PPPoEoVLAN: slot 0 adapter 1 port 0 sub-interface 299 IP 0.0.0.0 VPI 0 VCI 0 VLAN 299
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Protocol-Type = 0 (PPP Access Protocol)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Final = 1 (YES)
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Auth-User = "user1"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SM Policy invoke - Process Config Connecting
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Access type PPP
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Access type PPP: final key
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Config Request from Client
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Event <got process config req>, State: wait-for-events to wait-process-config-complete
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Process Config
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Apply config request set to AAA list
Config: Framed-Protocol 0 1 [PPP]
Config: service-type 0 2 [Framed]
Config: ssg-account-info 0 "AANY"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Sending apply-config-only request to AAA
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SSS PM: Allocating per-user profile info
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SSS PM: Add per-user profile info to policy context
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Root SIP PPPoE
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable PPPoE parsing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable PPP parsing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ACTIVE HANDLE[0]: Snapshot captured in Active context
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ACTIVE HANDLE[0]: Active context created
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <make request>, state changed from idle to authorizing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Active key set to Auth-User
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Authorizing key apply-config-only
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Spoofed AAA reply sent for key apply-config-only
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Received an AAA pass
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: [7FBB6473CB60]:Reply message not exist
Initial attr Framed-Protocol 0 1 [PPP]
Initial attr service-type 0 2 [Framed]
Initial attr ssg-account-info 0 "AANY"
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Could not parse AAA interim interval
Nov 26 08:55:59: COA_HA: [ERR] Unable to get coa_ctx from shdb 0xCA00004B
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: RULE: Service Name = ANY Ok
Nov 26 08:55:59: SSS PM: PARAMETERIZED-QoS: QOS parameters
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: RULE: VRF Parsing routine:
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
ssg-account-info 0 "AANY"
Nov 26 08:55:59: SSS PM: VPDN is not enabled
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Feature
Nov 26 08:55:59: Portbundle Hostkey: portbundle not configured on the router
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPP[34E0B60] parsed as Success
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPP[40FD520] parsed as Ignore
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPPoE[357ECE0] parsed as Success
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP Root parser not installed
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <service not found>, state changed from authorizing to complete
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: No service authorization info found
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Active Handle present - 94000170
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Apply config handle [2D001B9D] now set to [B3001B00]
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Freeing Active Handle; SSS Policy Context Handle = 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: ACTIVE HANDLE[2113]: Released active handle
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: PROFILE: store profile "apply-config-only"
Nov 26 08:55:59: SSS PM: PROFILE-DB: is profile "apply-config-only" in DB
Nov 26 08:55:59: SSS PM: PROFILE-DB: Computed hash value = 669264914
Nov 26 08:55:59: SSS PM: PROFILE-DB: Yes, but is a new version
Nov 26 08:55:59: SSS PM: PROFILE-DB: create "apply-config-only"/7FBB636AB768 hdl 65001B90 ref 1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: PROFILE: create 7FBB636AF8A8, ref 1
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <free request>, state changed from complete to terminal
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Cancel request
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Author Not Found Event
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Create context 7FBB6473CF00
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: key lists to append are empty
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Authen status update; is now "unauthen"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: IDMGR: assert authen status "unauthen"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: SERVICE [ANY]: Parent 7FBB6473CB60
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: SERVICE [ANY]: Started yet? No
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: IDMGR: service not started yet; can't update
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Did not update authen status to IDMGR
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Username key not found in set domain key API
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Username key not found in set domain key API
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Updated NAS port for AAA ID 7063
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: IDMGR: send event Session Update
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Client block is NULL in get client block with handle 150009C2
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Updated key list:
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Logon-Service = "ANY"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Nasport = PPPoEoVLAN: slot 0 adapter 1 port 0 sub-interface 299 IP 0.0.0.0 VPI 0 VCI 0 VLAN 299
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Access-Type = 11 (Web-service-logon)
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Authen-Status = 1 (Unauthenticated)
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Session-Handle = 3472884087 (CF000177)
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Service Command-Handler Policy invoke - Service-Start
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: Access type Web-service-logon
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Looking for a rule for event service-start
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Intf CloneSrc Vt2: service-rule any: None
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Intf InputI/f Te0/1/0.299: service-rule any: None
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Glob: service-rule any: default-internal-rule
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Evaluate "default-internal-rule" for service-start
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event account-logon"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event idle-timeout"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event session-timeout"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event keepalive-timeout"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Wrong type "default-internal-rule/always event flow-timeout"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Matched "default-internal-rule/always event service-start"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE: Matched "default-internal-rule/always event service-start/1 service-policy type service identifier service-name"
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE[0]: Start
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE[0]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
Nov 26 08:55:59: SSS PM CCM: Found SHDB handle 0xCA00004B for policy context 0x7FBB6473CB60
Nov 26 08:55:59: SSS PM CCM: [SESSION PM EVENT] Event = NEW-REQUEST (ctx: 0x7FBB6473CB60, action: APPLY-SERVICE)
Nov 26 08:55:59: SSS PM HA: Dynsess not required shdb = 0xCA00004B spol_ctx = 0x7FBB6473CB60
Nov 26 08:55:59: SSS PM CCM: Set PM HA as not ready (session 0xCA00004B) successfully
Nov 26 08:55:59: SSS PM HA: Adding an action (type APPLY-SERVICE) into the PM HA queue
Nov 26 08:55:59: SSS PM HA: NE: In policy_ha_add_session_info, shdb=0xCA00004B, last=APPLY-SERVICE (6)
Nov 26 08:55:59: SSS PM HA: In policy_ha_nett_effect_process: ctx=0x7FBB5EBC8FC0, action-type=APPLY-SERVICE, event=SERVICE-START, state=INIT-STATE
Nov 26 08:55:59: SSS PM HA: NE: Didn't find any duplicate service-apply action
Nov 26 08:55:59: SSS PM HA: Setting current elem, from 0x0 to 0x7FBB5EBC4BF8
Nov 26 08:55:59: SSS PM CCM: New bulk session (shdb 0xCA00004B), ctx 0x7FBB6473CB60, dsess_hdl 0x0, APPLY-SERVICE OK
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE[0]: Have key Logon-Service
Nov 26 08:55:59: SSS PM [7FBB6473CF00]: RULE[0]: This service ANY is marked as not cancelled
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: State: initial-req to check-auth-needed
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Event <send auth>, State: check-auth-needed to authorizing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Handling AAA service Authorization
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Sending AAA request for 'ANY'
Nov 26 08:55:59: SVM [ANY]: needs downloading
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: service "ANY" not in cache; needs download
Nov 26 08:55:59: SVM [430000BB/ANY]: allocated version 1
Nov 26 08:55:59: SVM [430000BB/ANY]: [150009C2]: client queued
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Download:150009C2] locked 0->1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: download required
Nov 26 08:55:59: SVM [430000BB/ANY]: [AAA-Download:7FBB6280D928] locked 0->1
Nov 26 08:55:59: SSS AAA AUTHOR: Authorization:Fetching method list from SIP:Web-service-logon
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: using named author method list "FREERADIUS"
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Root SIP PPPoE
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable PPPoE parsing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable PPP parsing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Enable Web-service-logon parsing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: ACTIVE HANDLE[0]: Snapshot captured in Active context
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: ACTIVE HANDLE[0]: Active context created
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <make request>, state changed from idle to authorizing
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Active key set to Apply-Service
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Authorizing key ANY
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Set authorization profile type to service
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: AAA request sent for key ANY
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[0]: Downloading service "ANY"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[1]: Start
Nov 26 08:55:59: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Nov 26 08:55:59: RADIUS(00000000): Config NAS IP: 10.0.6.21
Nov 26 08:55:59: RADIUS(00000000): Config NAS IPv6: ::
Nov 26 08:55:59: RADIUS(00000000): sending
Nov 26 08:55:59: RADIUS: nas-port-id(87) is not found in the request
Nov 26 08:55:59: RADIUS(00000000): Send Access-Request to 10.0.6.10:1812 id 1645/157, len 55
Nov 26 08:55:59: RADIUS: authenticator B3 F6 A3 5E 7D D8 01 9E - 72 A5 4E D0 79 32 0C 11
Nov 26 08:55:59: RADIUS: User-Password [2] 18 *
Nov 26 08:55:59: RADIUS: User-Name [1] 5 "ANY"
Nov 26 08:55:59: RADIUS: Service-Type [6] 6 Outbound [5]
Nov 26 08:55:59: RADIUS: NAS-IP-Address [4] 6 10.0.6.21
Nov 26 08:55:59: RADIUS(00000000): Sending a IPv4 Radius Packet
Nov 26 08:55:59: RADIUS(00000000): Started 5 sec timeout
Nov 26 08:55:59: RADIUS: Received from id 1645/157 10.0.6.10:1812, Access-Accept, len 240
Nov 26 08:55:59: RADIUS: authenticator F2 BB 14 5D 90 BC 76 91 - 8C B3 9B 55 75 69 4A 6B
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 54
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 48 "ip:traffic-class=in access-group name CM_T_ANY"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 40
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 34 "ip:traffic-class=in default drop"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 55
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 49 "ip:traffic-class=out access-group name CM_T_ANY"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 41
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 35 "ip:traffic-class=out default drop"
Nov 26 08:55:59: RADIUS: Vendor, Cisco [26] 30
Nov 26 08:55:59: RADIUS: Cisco AVpair [1] 24 "prepaid-config=PREPAID"
Nov 26 08:55:59: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
Nov 26 08:55:59: RADIUS(00000000): Received from id 1645/157
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Received an AAA pass
Initial attr traffic-class 0 "in access-group name CM_T_ANY"
Initial attr traffic-class 0 "in default drop"
Initial attr traffic-class 0 "out access-group name CM_T_ANY"
Initial attr traffic-class 0 "out default drop"
Initial attr prepaid-config 0 "PREPAID"
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Could not parse AAA interim interval
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:Prepaid config= PREPAID
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:No prepaid context in policy context; allocing
Nov 26 08:55:59: SSS PM: PARAMETERIZED-QoS: QOS parameters
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE: VRF Parsing routine:
traffic-class 0 "in access-group name CM_T_ANY"
traffic-class 0 "in default drop"
traffic-class 0 "out access-group name CM_T_ANY"
traffic-class 0 "out default drop"
Nov 26 08:55:59: SSS PM: VPDN is not enabled
Nov 26 08:55:59: SVM [430000BB/ANY]: Set class ids: 228.229
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Feature
Nov 26 08:55:59: SSF[ANY/QoS Policy Map]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/TC]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Service Config]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/IP Config]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Interface Config]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Compression]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Modem-on-hold]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Static Routes]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/IPX Static SAPs]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Per-User ACL]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Per-User Filter]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Portbundle Hostkey]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/DHCPv6 PD from AAA]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Keepalive]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Tariff Switching]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Forced Flow Routing]: TC flow does not support this feature
Nov 26 08:55:59: SSF[ANY/Templating End of Transaction]: TC flow does not support this feature
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPP[34E0B60] parsed as Success
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPP[40FD520] parsed as Ignore
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP PPPoE[357ECE0] parsed as Success
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP Root parser not installed
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SIP Web-service-logon parser not installed
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <service not found>, state changed from authorizing to complete
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: No service authorization info found
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Active Handle present - B5000171
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Attr list is NULL, apply config handle [0] not reset
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: ACTIVE HANDLE[0]: Snapshot reverted from Active context to policy context
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Freeing Active Handle; SSS Policy Context Handle = 150009C2
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: ACTIVE HANDLE[2113]: Released active handle
Nov 26 08:55:59: SSS PM [7FBB6473C080]: Create context 7FBB6473C080
Nov 26 08:55:59: SSS PM: PROFILE-DB: is profile "ANY" in DB
Nov 26 08:55:59: SSS PM: PROFILE-DB: Computed hash value = 1769891265
Nov 26 08:55:59: SSS PM: PROFILE-DB: No, add new list
Nov 26 08:55:59: SSS PM: PROFILE-DB: create "ANY"
Nov 26 08:55:59: SSS PM: PROFILE-DB: create "ANY"/7FBB636AB6A8 hdl CF001B0C ref 1
Nov 26 08:55:59: SVM [430000BB/ANY]: downloaded first version
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: SVM download for "ANY" ok
Nov 26 08:55:59: SVM [430000BB/ANY]: [150009C2]: client download ok
Nov 26 08:55:59: SVM [430000BB/ANY]: [SVM-to-client-msg:150009C2] locked 0->1
Nov 26 08:55:59: SVM [430000BB/ANY]: [AAA-Download:7FBB6280D928] unlocked 1->0
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Event <free request>, state changed from complete to terminal
Nov 26 08:55:59: SSS AAA AUTHOR [uid:201]: Cancel request
Nov 26 08:55:59: SSS PM [7FBB6473C080]: Destroy context 7FBB6473C080
Nov 26 08:55:59: SSS PM: [PARAMETERIZED-QoS]: In removed_from_rbpl_ctx_temp_hold for policy handle[ED0009C3
Nov 26 08:55:59: SSS PM: [PARAMETERIZED-QoS]: No rabapol context created yet for handle [ED0009C3], nothing to return
Nov 26 08:55:59: COA_CCM: [SESSION FREE] Policy ctx: 0x7FBB6473C080
Nov 26 08:55:59: COA_CCM: Free session - Ignoring policy context 0x7FBB6473C080 (not our session)
Nov 26 08:55:59: SSS PM CCM: [SESSION FREE] policy ctx: 0x7FBB6473C080
Nov 26 08:55:59: SSS PM CCM: [ERR] Free session - Ignoring policy context 0x7FBB6473C080 (not our HA session)
Nov 26 08:55:59: CH-UTILS: Invalid command handle
Nov 26 08:55:59: SSS PM [7FBB6473C080]: PROFILE: destroy all config
Nov 26 08:55:59: SSS PM [7FBB6473C080]: SSS PM: destroy all user profile info from policy context
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: SVM service download success
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: download completed for "ANY" version 1
Nov 26 08:55:59: SVM [430000BB/ANY]: alloc feature info
Nov 26 08:55:59: SVM [430000BB/ANY]: [SVM-Feature-Info:7FBB636DD648] locked 0->1
Nov 26 08:55:59: SVM [430000BB/ANY]: has Policy info
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Info:7FBB6484BDC0] locked 0->1
Nov 26 08:55:59: SVM [430000BB/ANY]: has Policy info
Nov 26 08:55:59: SSS PM CCM: Poisoning session for SHDB 0xCA00004B.
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Info:7FBB6484BD60] unlocked 1->0
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: PROFILE: store profile "ANY"
Nov 26 08:55:59: SSS PM: PROFILE-DB: incremented ref "ANY"/7FBB636AB6A8 hdl CF001B0C ref 2
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: PROFILE: create 7FBB636AF880, ref 1
Nov 26 08:55:59: SVM [430000BB/ANY]: populated client
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Download:150009C2] unlocked 1->0
Nov 26 08:55:59: SVM [430000BB/ANY]: [SVM-to-client-msg:150009C2] unlocked 1->0
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE: VRF/Classname Check: session logging off or not VRF/Classname dependent
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Handling Author Not Found Event
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Feature info: 7FBB636DD648 Type: Service Config
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: : Config level: Service Profile
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: : IDB type: Sub-if or not required
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: : 16 bytes:
SSS PM [uid:201][7FBB6473CF00]: : Data: 000000 00 00 43 00 00 BB EA 00 ..c.....
SSS PM [uid:201][7FBB6473CF00]: : Data: 000008 00 15 15 00 09 C2 00 00 ........
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Service starting
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: SERVICE [ANY]: Parent 7FBB6473CB60
Nov 26 08:55:59: SVM [430000BB/ANY]: [PM-Service:7FBB53EE6050] locked 0->1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Client block is NULL in get client block with handle 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: SERVICE [ANY]: Start-pending request: Ok
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Event <srvf not found>, State: authorizing to check-auth-needed
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Handling Next Authorization Check
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[0]: Continue
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[0]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[0]: No more actions to run
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[1]: Continue
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[1]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
Nov 26 08:55:59: SVM [430000BB/ANY]: already downloaded; sharing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[1]: Give default directive
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[2]: Continue
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: RULE[2]: default-internal-rule/always event service-start/1 service-policy type service identifier service-name
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Event <srvf found>, State: check-auth-needed to wait-for-events
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: All auto services downloaded and cached,proceed with rule execution
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Service Command-Handler Policy invoke - Auto Services Downloaded
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Session contans a prepaid svc
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Config Apply to SM
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SSS PM: config_applied is set for Per-User handle [8D0000CB]
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSF: SSF FIB SB required Vi2.1, FALSE
Nov 26 08:55:59: SSS PM: SSS PM: Added peruser feature infos when config_applied already set
Nov 26 08:55:59: SSF[uid:201:0.1]: L2HW Segment init returned: Success
Nov 26 08:55:59: SSF[uid:201:0.1]: Sending Apply Config Request to FM
Nov 26 08:55:59: SSF Owner[]: rcv owner avail msg: owner type 4, owner hdl 0x7FBB57E18088, old seg hdl 0, msg seg hdl 872415490, fsb 0x0
Nov 26 08:55:59: SSF Owner [Vi2.1/uid:0]: Created fsb, owner type 4, owner hdl 0x7FBB57E18088, fsb 0x7FBB64D54F88
Nov 26 08:55:59: SSF Owner [Vi2.1/uid:0]: FSM Ev: Owner info avail
Nov 26 08:55:59: FSM Old St: SSF Owner InActive
Nov 26 08:55:59: FSM New St: SSF Owner Owner-Ready
Nov 26 08:55:59: FSM: Act owner avail
Nov 26 08:55:59: SSF[uid:201:0.1]: Received a config apply request from Swidb for segment 7FBB648AEFB0
Nov 26 08:55:59: SSF[Vt2/uid:201:0.1]: Apply Interface configured features from source(7FBB6366B1D8)
Nov 26 08:55:59: SSF[Vt2]: Bind notify. Incremented ref count: 1
Nov 26 08:55:59: SSF[Vt2/uid:201:0.1]: Segment bound to a Interface configuration source Success
Nov 26 08:55:59: SSF[ANY/uid:201:0.1]: Apply Service Profile configured features from source(430000BB)
Nov 26 08:55:59: SSF[uid:201:0.1]: Request flow segment context to be created
Nov 26 08:55:59: SSF[uid:201:0.1]: L2HW Segment init returned: Success
Nov 26 08:55:59: SSF[ANY/uid:201:228.229]: Apply Service Profile configured features from source(430000BB)
Nov 26 08:55:59: SVM [430000BB/ANY]: [FM-Bind:CF000177] locked 0->1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SERVICE [ANY]: Bind notify: Ok
Nov 26 08:55:59: SSF[ANY/uid:201:228.229]: Segment bound to a Service Profile configuration source Success
Nov 26 08:55:59: SSF[Peruser/uid:201:0.1]: Apply Per-user configured features from source(8D0000CB)
Nov 26 08:55:59: SSF[Peruser/uid:201:0.1]: Segment bound to a Per-user configuration source Success
Nov 26 08:55:59: SSF[uid:201:0.1]: L2HW Activate features returned: Success
Nov 26 08:55:59: SSF[uid:201:0.1]: Sent feature apply success msg
Nov 26 08:55:59: SVM [430000BB/ANY]: [SVM-Feature-Info:7FBB636DD648] unlocked 1->0
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SM Policy invoke - Apply Config Success
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Session contans a prepaid svc
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: Sending first author request
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:Event DO_FIRST_AUTHOR, State: INIT to PROCESSING_FIRST_AUTHOR
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:Performing action: PROCESS_FIRST_AUTHOR
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Client block is NULL in get client block with handle 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: PREPAID:Suspending first author till IPCP_PASS
Nov 26 08:55:59: SSF[Peruser]: Did not locate push peruser bind mapping
Nov 26 08:55:59: SSS PM: [PARAMETERIZED-QoS]: No rabapol context created yet for handle [260009C1], returning compatible
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Event <got apply config success>, State: wait-process-config-complete to wait-for-events
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Handling Apply Config; SUCCESS
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: session start done
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Removed attribute list just processed
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SERVICE [ANY]: Complete-Pending
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: service start
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: send event Service Assert
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: with service name "ANY"
Nov 26 08:55:59: SVM [430000BB/ANY]: already downloaded; sharing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: assert authen status "authen"
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: send event Service Update
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: IDMGR: with service name "ANY"
Nov 26 08:55:59: SVM [430000BB/ANY]: already downloaded; sharing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: IDMGR: update service
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: IDMGR: send event Service Update
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CF00]: IDMGR: with service name "ANY"
Nov 26 08:55:59: SVM [430000BB/ANY]: already downloaded; sharing
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: SERVICE [ANY]: Started
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: no callback for callback north
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Client block is NULL in get client block with handle 260009C1
Nov 26 08:55:59: SSS PM [uid:201][7FBB6473CB60]: Null client block; Can't update RP
asr-1002x-01#
Nov 26 08:55:59: RADIUS: Acct-Delay-Time [41] 6 0
Nov 26 08:55:59: RADIUS(00001B97): Sending a IPv4 Radius Packet
Nov 26 08:55:59: RADIUS(00001B97): Started 5 sec timeout
Nov 26 08:55:59: RADIUS: Received from id 1646/205 10.0.6.10:1813, Accounting-response, len 20
Nov 26 08:55:59: RADIUS: authenticator 18 6B 22 E6 3F 56 1A 4A - 73 83 5C 79 BD 38 24 8A
asr-1002x-01#
SSS Switch: Pak 7FBB4D5B6D28 sz 14 encap 2
Nov 26 08:56:01: 000000 C0 21 09 7E 00 0C 0C 11 D!N~....
Nov 26 08:56:01: 000008 3B ED FA D5 8D F4 ;.....
Nov 26 08:56:01: SSF: Classified on Layer 2
Config:
! Last configuration change at 16:45:50 TMN Tue Nov 25 2014 by lion
! NVRAM config last updated at 16:45:51 TMN Tue Nov 25 2014 by lion
version 15.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
hostname asr-1002x-01
boot-start-marker
boot system flash bootflash:asr1002x-universalk9.03.10.03.S.153-3.S3-ext.SPA.bin
boot-end-marker
aqm-register-fnf
vrf definition Mgmt-intf
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
vrf definition Voice
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
logging buffered 1024000 informational
aaa new-model
aaa group server radius freeradius
server-private 10.0.6.10 auth-port 1812 acct-port 1813 key 7 142417081E013E
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet0
aaa group server radius billing
server-private 10.0.6.102 auth-port 1812 acct-port 1813 key 7 06150A225E4B1D
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet0
aaa authentication login default local
aaa authentication ppp LOCAL_AUTH local
aaa authentication ppp FREERADIUS group freeradius
aaa authentication ppp BILLING group billing
aaa authorization console
aaa authorization exec default local
aaa authorization network LOCAL_AUTH none
aaa authorization network FREERADIUS group freeradius
aaa authorization network BILLING group billing
aaa authorization subscriber-service FREERADIUS local group freeradius
aaa authorization subscriber-service BILLING local
aaa accounting delay-start all
aaa accounting delay-start extended-delay 2
aaa accounting update periodic 5
aaa accounting include auth-profile framed-ip-address
aaa accounting include auth-profile framed-ipv6-prefix
aaa accounting include auth-profile delegated-ipv6-prefix
aaa accounting network FREERADIUS start-stop group freeradius
aaa accounting network BILLING start-stop group billing
aaa server radius dynamic-author
client 10.0.6.102 vrf Mgmt-intf server-key 7 120A0014000E18
client 10.0.6.10 server-key 7 094F471A1A0A
port 1645
auth-type any
ignore session-key
aaa session-id common
aaa policy interface-config allow-subinterface
clock timezone TMN 5 0
no ip source-route
no ip domain lookup
ip domain name local
ip host service 10.0.6.101
ip dhcp excluded-address vrf Voice 10.3.0.0 10.3.127.255
ip dhcp pool Voice
vrf Voice
network 10.3.0.0 255.255.0.0
ipv6 unicast-routing
ipv6 dhcp iana-route-add
ipv6 dhcp binding track ppp
ipv6 dhcp pool dhcpv6_pool_60
prefix-delegation pool ppp_delegate_60_v6_pool
accounting BILLING
ipv6 dhcp pool dhcpv6_pool_56
prefix-delegation pool ppp_delegate_56_v6_pool
accounting BILLING
ipv6 dhcp pool AAA_dhcpv6_pool
prefix-delegation aaa method-list BILLING
subscriber feature prepaid PREPAID
threshold time 0 seconds
threshold volume 1 Kbytes
interim-interval 1 minutes
method-list author FREERADIUS
method-list accounting FREERADIUS
password cisco
flow monitor MON1
record netflow ipv4 original-output
multilink bundle-name authenticated
no virtual-template snmp
license accept end user agreement
archive
log config
logging enable
logging size 300
hidekeys
path tftp://service/config/all/$h-$t
write-memory
spanning-tree extend system-id
redundancy
mode none
redirect server-group NoMoney
server ip A.B.198.3 port 80
redirect server-group NoMoneyDNS
server ip A.B.198.10 port 53
cdp run
ip tftp source-interface GigabitEthernet0
ip ssh version 2
lldp run
class-map type traffic match-any CM_ANY6
match access-group input name CM_T_ANY6
match access-group output name CM_T_ANY6
class-map type traffic match-any CM_ANY
match access-group input name CM_T_ANY
match access-group output name CM_T_ANY
class-map type traffic match-any CM_T_NoMoney_REDIRECT_DNS
match access-group input name CM_T_NoMoney_REDIRECT_DNS
class-map type traffic match-any CM_T_NoMoney_REDIRECT_WWW
match access-group input name CM_T_NoMoney_REDIRECT_WWW
class-map type traffic match-any CM_T_NoMoney_PASS
match access-group input name CM_T_NoMoney_PASS
match access-group output name CM_T_NoMoney_PASS
policy-map type service NoMoney10
10 class type traffic CM_T_NoMoney_PASS
class type traffic default in-out
drop
policy-map type service NoMoney500
500 class type traffic CM_T_NoMoney_REDIRECT_WWW
redirect to group NoMoney
class type traffic default in-out
drop
policy-map type service NoMoney510
510 class type traffic CM_T_NoMoney_REDIRECT_DNS
redirect to group NoMoneyDNS
class type traffic default in-out
drop
policy-map type service Any
1 class type traffic CM_ANY
prepaid config PREPAID
class type traffic default in-out
drop
policy-map type service Any6
1 class type traffic CM_ANY6
prepaid config PREPAID
class type traffic default in-out
drop
policy-map pol2
policy-map pol1
policy-map PM_SPEED_NONE
class class-default
policy-map rate_10m
class class-default
police 10000000 1000000
policy-map PM_TEST
class class-default
police 1000000
policy-map rate_1m
class class-default
police 1000000 100000
policy-map PM_SPEED_8M
class class-default
police 9000000
policy-map rate_out_10m
class class-default
police 10000000 1000000
policy-map rate_in_10m
class class-default
police 10000000 1000000
no crypto isakmp default policy
no crypto ipsec transform-set default
bba-group pppoe 1
virtual-template 1
vendor-tag circuit-id service
vendor-tag remote-id service
sessions per-mac limit 2
bba-group pppoe 2
virtual-template 2
vendor-tag circuit-id service
vendor-tag remote-id service
sessions per-mac limit 2
interface Null0
no ip unreachables
no ipv6 unreachables
interface Loopback0
ip address A.B.196.6 255.255.255.255
ipv6 address 2001:7f8::20/128
ipv6 enable
interface Loopback2
ip address A.B.198.1 255.255.255.0
interface GigabitEthernet0/0/0
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/1
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/2
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/3
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/4
no ip address
negotiation auto
cdp enable
interface GigabitEthernet0/0/5
no ip address
negotiation auto
cdp enable
interface TenGigabitEthernet0/1/0
mtu 9000
no ip address
load-interval 30
cdp enable
hold-queue 4096 in
interface TenGigabitEthernet0/1/0.9
encapsulation dot1Q 9
ip address A.B.196.5 255.255.255.254
ip nat outside
ip flow monitor MON1 input
ip flow monitor MON1 output
ipv6 address 2001:7f8:0:1::2:1/127
ipv6 nd ra suppress
interface TenGigabitEthernet0/1/0.34
description DM_Inet
encapsulation dot1Q 34
ip unnumbered Loopback2
ip nat outside
service-policy input PM_SPEED_NONE
service-policy output PM_SPEED_NONE
interface TenGigabitEthernet0/1/0.96
description DM_Datacenter
encapsulation dot1Q 96
ip unnumbered Loopback2
ip nat outside
service-policy input PM_SPEED_NONE
service-policy output PM_SPEED_NONE
interface TenGigabitEthernet0/1/0.298
description IPoE test
encapsulation dot1Q 298
ip unnumbered Loopback2
ip nat outside
interface TenGigabitEthernet0/1/0.299
description PPPoE Test
encapsulation dot1Q 299
pppoe enable group 2
interface TenGigabitEthernet0/1/0.300
encapsulation dot1Q 300
vrf forwarding Voice
ip address 10.3.0.1 255.255.0.0
interface TenGigabitEthernet0/1/0.21000
description PPPoE
encapsulation dot1Q 2 second-dot1q 1000-1999
pppoe enable group 1
pppoe max-sessions 10000
interface TenGigabitEthernet0/1/0.2002000
description client 2000
encapsulation dot1Q 200 second-dot1q 2000
ip unnumbered Loopback2
ip nat outside
service-policy input PM_SPEED_8M
service-policy output PM_SPEED_8M
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.0.6.21 255.255.255.0
negotiation auto
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback0
no ip redirects
no ip proxy-arp
ip nat inside
ip verify unicast reverse-path
ip tcp adjust-mss 1452
no logging event link-status
ipv6 unnumbered Loopback0
ipv6 enable
no ipv6 nd ra suppress
ipv6 dhcp server AAA_dhcpv6_pool
peer default ip address pool pool192_168
keepalive 60
ppp authentication chap ms-chap-v2 BILLING
ppp authorization BILLING
ppp accounting BILLING
ppp ipcp dns A.B.198.10
interface Virtual-Template2
description Testing PPPoE
mtu 1492
ip unnumbered Loopback0
no ip redirects
no ip proxy-arp
ip nat inside
ip verify unicast reverse-path
ip tcp adjust-mss 1452
no logging event link-status
ipv6 unnumbered Loopback0
ipv6 enable
no ipv6 nd ra suppress
ipv6 dhcp server AAA_dhcpv6_pool
peer default ip address pool pool192_168
keepalive 60
ppp authentication chap ms-chap-v2 FREERADIUS
ppp authorization FREERADIUS
ppp accounting FREERADIUS
ppp ipcp dns A.B.198.10
ip local pool pool172_17 172.17.0.1 172.17.255.254
ip local pool pool192_168 192.168.128.0 192.168.255.254
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat pool nat_pool A.B.196.65 A.B.196.127 netmask 255.255.255.0
ip nat inside source list nat pool nat_pool overload
no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 A.B.196.4
ip route A.B.196.128 255.255.255.128 Null0 100
ip route A.B.197.0 255.255.255.0 Null0 100
ip route A.B.198.0 255.255.255.0 Null0 100
ip route A.B.198.2 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.2 name net-console-01
ip route A.B.198.3 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.3 name net-mon-01
ip route A.B.198.4 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.4 name billing-01
ip route A.B.198.5 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.5 name svyazisty
ip route A.B.198.6 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.6 name Linux_test
ip route A.B.198.7 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.7 name SCE_Console
ip route A.B.198.8 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.8 name backup-01
ip route A.B.198.9 255.255.255.255 TenGigabitEthernet0/1/0.298 A.B.198.9 name Linux_test2
ip route A.B.198.10 255.255.255.255 TenGigabitEthernet0/1/0.96 A.B.198.10 name dns-server
ip route A.B.198.16 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.16 name DM
ip route A.B.198.17 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.17 name DM
ip route A.B.198.18 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.18 name DM
ip route A.B.198.19 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.19 name DM
ip route A.B.198.20 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.20 name DM
ip route A.B.198.21 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.21 name DM
ip route A.B.198.22 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.22 name DM
ip route A.B.198.23 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.23 name DM
ip route A.B.198.24 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.24 name DM
ip route A.B.198.25 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.25 name DM
ip route A.B.198.26 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.26 name DM
ip route A.B.198.27 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.27 name DM
ip route A.B.198.28 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.28 name DM
ip route A.B.198.29 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.29 name DM
ip route A.B.198.30 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.30 name DM
ip route A.B.198.31 255.255.255.255 TenGigabitEthernet0/1/0.34 A.B.198.31 name DM
ip route A.B.198.100 255.255.255.255 TenGigabitEthernet0/1/0.2002000 A.B.198.100 name "client 100"
ip access-list extended CM_T_ANY
permit ip any any
ip access-list extended CM_T_NoMoney_PASS
permit ip any host A.B.198.3
permit ip host A.B.198.3 any
permit udp any host A.B.198.10 eq domain
permit udp host A.B.198.10 eq domain any
ip access-list extended CM_T_NoMoney_REDIRECT_DNS
permit udp any any eq domain
ip access-list extended CM_T_NoMoney_REDIRECT_WWW
permit tcp any any eq www
ip access-list extended POLICE_EXCLUDE
deny ip any host A.B.198.3
deny ip host A.B.198.3 any
permit ip any any
ip access-list extended POLICE_EXCLUDE_INV
permit ip any host A.B.198.3
permit ip host A.B.198.3 any
ip access-list extended nat
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 169.254.0.0 0.0.255.255
permit ip 192.168.128.0 0.0.127.255 any
permit ip 172.17.0.0 0.0.255.255 any
ip access-list extended vty
permit ip 10.0.6.0 0.0.0.255 any
kron occurrence daily-backup at 3:24 recurring
policy-list backup_rc
kron policy-list backup_rc
cli enable
cli archive config
ipv6 route 2001:7f8:1::/48 Null0
ipv6 route 2001:7f8:2::/48 Null0
ipv6 route 2001:7f8:3::/48 Null0
ipv6 route ::/0 2001:7f8:0:1::2:0
ipv6 local pool ppp_delegate_60_v6_pool 2001:7f8:2::/48 60
ipv6 local pool ppp_delegate_56_v6_pool 2001:7f8:3::/48 56
ipv6 local pool ppp_link_v6_pool 2001:7f8:1::/49 64
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 8 include-in-access-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf
ipv6 access-list CM_T_ANY6
permit ipv6 any any
control-plane
line con 0
exec-timeout 30 0
logging synchronous
history size 256
stopbits 1
line aux 0
transport input ssh
transport output all
stopbits 1
line vty 0 4
access-class vty in vrf-also
exec-timeout 120 0
logging synchronous
history size 256
transport input ssh
transport output all
line vty 5 15
access-class vty in vrf-also
exec-timeout 120 0
logging synchronous
history size 256
transport input ssh
transport output all
line vty 16 97
history size 256
ntp server vrf Mgmt-intf 10.0.6.10
end -
Migrate PPPoE/Virtual-Interface from 7206VXR to ASR 1002
Good Day,
I have been attempting to migrate services from an existing 7206VXR to a recently purchased ASR1002 and could use some help.
My mistake in assuming that the config would be similar to 7206VXR, but there are changes - mainly VRF and cisco-avpair attributes that need added to radius.
Our lab test, with the below ASR config will allow the user to authenticate successfully but does not assign IP address.
User Status
User is online
Last Connection
2012-09-21 10:27:47
Online Time
1 hours, 4 minutes, 15 seconds
Server (NAS)
206.251.40.52 (MAC: )
User Workstation
(MAC: )
User Upload
6.5 Kb
User Download
6.51 Kb
ID
HotSpot
Username
IP Address
Start Time
Stop Time
Total Time
Upload (Bytes)
Download (Bytes)
Termination
NAS IP Address
7837056
[email protected]
2012-09-21 10:27:47
1 hours, 4 minutes, 15 seconds
6.5 Kb
6.51 Kb
206.251.40.52
I have also tried assigning a static IP to the CPE, however the CPE cannot see 199.200.107.1.
No doubt the problem is something simple I appreciate any help or suggestions.
Radius Reply Attributes
Cisco-AVPair += ip:vrf-id=CV_VRF
Cisco-AVPair += ip:ip-unnumbered=Loopback 111 (generates unsupported sub-interface errors when used)
7206VXR Config-
aaa new-model
aaa authentication login default group radius
aaa authentication login con none
aaa authentication login vty line local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa authorization network noauth none
aaa accounting update periodic 5
aaa accounting network default
action-type start-stop
group radius
aaa accounting system default
action-type start-stop
group radius
bba-group pppoe 156
virtual-template 156
sessions per-vc limit 65000
sessions per-mac limit 65000
sessions per-vlan limit 65000
interface Loopback0
ip address 10.1.1.3 255.255.255.255
ip ospf network point-to-point
interface GigabitEthernet0/1
no ip address
no ip redirects
duplex full
speed 1000
media-type rj45
no negotiation auto
no cdp enable
interface GigabitEthernet0/1.20
description ROUTER GATEWAY
encapsulation dot1Q 20
ip address 206.251.40.51 255.255.255.248
no cdp enable
interface GigabitEthernet0/2
no ip address
no ip redirects
duplex full
speed 1000
media-type rj45
no negotiation auto
no cdp enable
interface GigabitEthernet0/2.156
encapsulation dot1Q 156
ip address 199.30.185.1 255.255.255.0 secondary
ip address 199.30.186.1 255.255.255.0 secondary
ip address 199.30.187.1 255.255.255.0 secondary
ip address 199.30.184.1 255.255.255.0
pppoe enable group 156
no cdp enable
interface Virtual-Template156
ip unnumbered GigabitEthernet0/2.156
no ip redirects
no ip route-cache cef
peer default ip address pool IP_POOL156
ppp mtu adaptive
ppp authentication pap
ip local pool IP_POOL156 199.30.184.2 199.30.184.254
ip local pool IP_POOL156 199.30.185.2 199.30.185.254
ip local pool IP_POOL156 199.30.186.2 199.30.186.254
ip local pool IP_POOL156 199.30.187.2 199.30.187.254
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 199.30.184.0 255.255.252.0 Null0 200
ip prefix-list AS19045 seq 10 permit 199.30.184.0/22
ip radius source-interface GigabitEthernet0/1.20
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server retransmit 1
radius-server timeout 60
radius-server key ********
radius-server vsa send accounting
radius-server vsa send authentication
ASR 1002 Config (attempt)
aaa new-model
aaa group server radius AAA_CV_VRF
server 208.98.188.6 auth-port 1812 acct-port 1813
aaa authentication login default group AAA_CV_VRF
aaa authentication login con none
aaa authentication login vty line local
aaa authentication login localauth local
aaa authentication ppp default if-needed group AAA_CV_VRF
aaa authorization network default group AAA_CV_VRF
aaa authorization network noauth none
aaa accounting update newinfo periodic 60
aaa accounting network default start-stop group AAA_CV_VRF
aaa accounting connection default start-stop group AAA_CV_VRF
aaa accounting system default
action-type start-stop
group AAA_CV_VRF
aaa accounting resource default start-stop group AAA_CV_VRF
aaa session-id common
aaa policy interface-config allow-subinterface
clock timezone MST -7 0
clock summer-time MST recurring
no ip source-route
ip vrf CV_VRF
rd 1:1
virtual-profile if-needed
multilink bundle-name authenticated
bba-group pppoe 111
description TEST
virtual-template 111
sessions per-vc limit 65000
sessions per-mac limit 65000
sessions per-vlan limit 65000
sessions auto cleanup
interface Loopback0
ip address 10.1.1.4 255.255.255.255
ip ospf network point-to-point
interface Loopback111
description TEST
ip vrf forwarding CV_VRF
ip address 199.200.107.1 255.255.255.0
interface GigabitEthernet0/0/2
no ip address
no ip redirects
no negotiation auto
interface GigabitEthernet0/0/2.20
description ROUTER GATEWAY
encapsulation dot1Q 20
ip address 206.251.40.52 255.255.255.248
interface GigabitEthernet0/0/3
no ip address
no ip redirects
no negotiation auto
interface GigabitEthernet0/0/3.111
encapsulation dot1Q 111
ip vrf forwarding CV_VRF
no ip proxy-arp
pppoe enable group 111
interface Virtual-Template111
ip unnumbered GigabitEthernet0/0/3.111
no ip redirects
no ip route-cache cef
peer default ip address pool IP_POOL111
ppp mtu adaptive
ppp authentication pap
router ospf 19045
router-id 10.1.1.4
network 10.1.1.4 0.0.0.0 area 0.0.0.0
network 199.200.107.0 0.0.0.255 area 0.0.0.0
network 206.251.40.48 0.0.0.7 area 0.0.0.0
router bgp 19045
bgp log-neighbor-changes
network 199.200.104.0 mask 255.255.252.0
network 206.251.40.0 mask 255.255.248.0
neighbor 10.1.1.1 remote-as 19045
neighbor 10.1.1.1 description IBGP_PEER_ASR
neighbor 10.1.1.1 update-source Loopback0
neighbor 10.1.1.1 next-hop-self
ip local pool IP_POOL111 199.200.107.2 199.200.107.254
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.251.40.49
ip route 199.200.104.0 255.255.252.0 Null0 200
ip prefix-list AS19045 seq 10 permit 199.200.104.0/22
ip radius source-interface GigabitEthernet0/0/2.20
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key ********
radius-server retransmit 1
radius-server timeout 60
radius-server vsa send accounting
radius-server vsa send authentication
Debug Info
*Sep 20 22:03:26.677: [910]PPPoE 1911: AAA get dynamic attrs
*Sep 20 22:03:26.678: [910]PPPoE 1911: O PADT R:6468.0cf7.8546 L:f866.f287.7c83 Gi0/0/3.111
*Sep 20 22:03:26.678: [910]PPPoE 1911: Destroying R:6468.0cf7.8546 L:f866.f287.7c83 111 Gi0/0/3.111
*Sep 20 22:03:26.678: PPPoE: Returning Vaccess Virtual-Access3
*Sep 20 22:03:26.679: [910]PPPoE 1911: AAA get dynamic attrs
*Sep 20 22:03:26.679: [910]PPPoE 1911: AAA account stopped
*Sep 20 22:03:26.679: RADIUS/ENCODE(00000791):Orig. component type = PPPoE
*Sep 20 22:03:26.679: RADIUS(00000791): Config NAS IP: 0.0.0.0
*Sep 20 22:03:26.679: RADIUS(00000791): Config NAS IPv6: ::
*Sep 20 22:03:26.679: RADIUS(00000791): sending
*Sep 20 22:03:26.682: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 20 22:03:26.682: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Sep 20 22:03:26.683: RADIUS/ENCODE: Best Local IP-Address 206.251.40.52 for Radius-Server 208.98.188.6
*Sep 20 22:03:26.683: RADIUS(00000791): Sending a IPv4 Radius Packet
*Sep 20 22:03:26.683: RADIUS(00000791): Send Accounting-Request to 208.98.188.6:1813 id 1646/71,len 379
*Sep 20 22:03:26.683: RADIUS: authenticator A6 50 A4 C3 2A 30 AB DA - 59 BF E8 75 8A 91 AA 9B
*Sep 20 22:03:26.683: RADIUS: Acct-Session-Id [44] 10 "00000D51"
*Sep 20 22:03:26.683: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Sep 20 22:03:26.683: RADIUS: Vendor, Cisco [26] 53
*Sep 20 22:03:26.683: RADIUS: Cisco AVpair [1] 47 "ppp-disconnect-cause=Lower Layer disconnected"
*Sep 20 22:03:26.683: RADIUS: User-Name [1] 19 "[email protected]"
*Sep 20 22:03:26.683: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Sep 20 22:03:26.683: RADIUS: Vendor, Cisco [26] 32
*Sep 20 22:03:26.683: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
*Sep 20 22:03:26.683: RADIUS: Vendor, Cisco [26] 31
*Sep 20 22:03:26.683: RADIUS: Cisco AVpair [1] 25 "nas-tx-speed=1000000000"
*Sep 20 22:03:26.683: RADIUS: Vendor, Cisco [26] 31
*Sep 20 22:03:26.683: RADIUS: Cisco AVpair [1] 25 "nas-rx-speed=1000000000"
*Sep 20 22:03:26.683: RADIUS: Acct-Session-Time [46] 6 615
*Sep 20 22:03:26.683: RADIUS: Acct-Input-Octets [42] 6 1040
*Sep 20 22:03:26.683: RADIUS: Acct-Output-Octets [43] 6 1066
*Sep 20 22:03:26.683: RADIUS: Acct-Input-Packets [47] 6 78
*Sep 20 22:03:26.684: RADIUS: Acct-Output-Packets [48] 6 79
*Sep 20 22:03:26.684: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
*Sep 20 22:03:26.684: RADIUS: Vendor, Cisco [26] 39
*Sep 20 22:03:26.684: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=Local Admin Disc"
*Sep 20 22:03:26.684: RADIUS: Acct-Status-Type [40] 6 Stop [2]
*Sep 20 22:03:26.684: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 22:03:26.684: RADIUS: NAS-Port [5] 6 0
*Sep 20 22:03:26.684: RADIUS: NAS-Port-Id [87] 11 "0/0/3/111"
*Sep 20 22:03:26.684: RADIUS: Vendor, Cisco [26] 41
*Sep 20 22:03:26.684: RADIUS: Cisco AVpair [1] 35 "client-mac-address=6468.0cf7.8546"
*Sep 20 22:03:26.684: RADIUS: Connect-Info [77] 8 "CV_VRF"
*Sep 20 22:03:26.684: RADIUS: Service-Type [6] 6 Framed [2]
*Sep 20 22:03:26.684: RADIUS: NAS-IP-Address [4] 6 206.251.40.52
*Sep 20 22:03:26.684: RADIUS: Acct-Delay-Time [41] 6 0
*Sep 20 22:03:26.684: RADIUS(00000791): Started 60 sec timeout
*Sep 20 22:03:26.686: [910]PPPoE 1911: Segment (SSS class): UNBOUND
*Sep 20 22:03:26.686: [910]PPPoE 1911: Vi3 Block vaccess from being freed.
*Sep 20 22:03:26.687: [910]PPPoE 1911: Segment (SSS class): UNPROVISION
*Sep 20 22:03:26.687: [910]PPPoE 1911: failed to remove session from switching hash table.
*Sep 20 22:03:26.694: PPPoE 1911: I PADT R:6468.0cf7.8546 L:f866.f287.7c83 111 Gi0/0/3.111
*Sep 20 22:03:26.758: RADIUS: Received from id 1646/71 208.98.188.6:1813, Accounting-response, len 20
*Sep 20 22:03:26.758: RADIUS: authenticator E3 A2 A1 EE B0 3F 43 1C - 03 B6 84 A8 20 0D B8 90
*Sep 20 22:03:32.713: PPPoE 0: I PADI R:6468.0cf7.8546 L:ffff.ffff.ffff 111 Gi0/0/3.111
*Sep 20 22:03:32.713: Service tag: NULL Tag
*Sep 20 22:03:32.713: PPPoE 0: O PADO, R:f866.f287.7c83 L:6468.0cf7.8546 111 Gi0/0/3.111
*Sep 20 22:03:32.713: Service tag: NULL Tag
*Sep 20 22:03:32.722: PPPoE 0: I PADR R:6468.0cf7.8546 L:f866.f287.7c83 111 Gi0/0/3.111
*Sep 20 22:03:32.722: Service tag: NULL Tag
*Sep 20 22:03:32.722: PPPoE : encap string prepared
*Sep 20 22:03:32.722: [911]PPPoE 1912: Access IE handle allocated
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA get retrieved attrs
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA get nas port details
*Sep 20 22:03:32.722: [911]PPPoE 1912: Error adjusting nas port format did
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA get dynamic attrs
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA unique ID 792 allocated
*Sep 20 22:03:32.722: [911]PPPoE 1912: AAA method list set
*Sep 20 22:03:32.722: [911]PPPoE 1912: Service request sent to SSS
*Sep 20 22:03:32.723: [911]PPPoE 1912: Created, Service: None R:f866.f287.7c83 L:6468.0cf7.8546 111 Gi0/0/3.111
*Sep 20 22:03:32.723: [911]PPPoE 1912: State NAS_PORT_POLICY_INQUIRY Event SSS MORE KEYS
*Sep 20 22:03:32.724: [911]PPPoE 1912: data path set to PPP
*Sep 20 22:03:32.724: [911]PPPoE 1912: Segment (SSS class): PROVISION
*Sep 20 22:03:32.724: [911]PPPoE 1912: State PROVISION_PPP Event SSM PROVISIONED
*Sep 20 22:03:32.724: [911]PPPoE 1912: O PADS R:6468.0cf7.8546 L:f866.f287.7c83 Gi0/0/3.111
*Sep 20 22:03:32.724: [911]PPPoE 1912 <Gi0/0/3.111:111>: Unable to add line attributes from ANCP
*Sep 20 22:03:32.724: [911]PPPoE 1912: Unable to Add ANCP Line attributes to the PPPoE Authen attributes
*Sep 20 22:03:33.845: RADIUS/ENCODE(00000792):Orig. component type = PPPoE
*Sep 20 22:03:33.845: RADIUS: DSL line rate attributes successfully added
*Sep 20 22:03:33.845: RADIUS(00000792): Config NAS IP: 0.0.0.0
*Sep 20 22:03:33.845: RADIUS(00000792): Config NAS IPv6: ::
*Sep 20 22:03:33.845: RADIUS/ENCODE(00000792): acct_session_id: 3411
*Sep 20 22:03:33.845: RADIUS(00000792): sending
*Sep 20 22:03:33.845: RADIUS/ENCODE: Best Local IP-Address 206.251.40.52 for Radius-Server 208.98.188.6
*Sep 20 22:03:33.845: RADIUS(00000792): Sending a IPv4 Radius Packet
*Sep 20 22:03:33.845: RADIUS(00000792): Send Access-Request to 208.98.188.6:1812 id 1645/56,len 124
*Sep 20 22:03:33.846: RADIUS: authenticator 3E 87 16 F9 FF 1A F8 74 - D6 7F 38 C3 F0 98 6E 6F
*Sep 20 22:03:33.846: RADIUS: User-Name [1] 10 "dcdi.net"
*Sep 20 22:03:33.846: RADIUS: User-Password [2] 18 *
*Sep 20 22:03:33.846: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 22:03:33.846: RADIUS: NAS-Port [5] 6 0
*Sep 20 22:03:33.846: RADIUS: NAS-Port-Id [87] 11 "0/0/3/111"
*Sep 20 22:03:33.846: RADIUS: Vendor, Cisco [26] 41
*Sep 20 22:03:33.846: RADIUS: Cisco AVpair [1] 35 "client-mac-address=6468.0cf7.8546"
*Sep 20 22:03:33.846: RADIUS: Service-Type [6] 6 Outbound [5]
*Sep 20 22:03:33.846: RADIUS: NAS-IP-Address [4] 6 206.251.40.52
*Sep 20 22:03:33.846: RADIUS(00000792): Started 60 sec timeout
*Sep 20 22:03:34.868: RADIUS: Received from id 1645/56 208.98.188.6:1812, Access-Reject, len 20
*Sep 20 22:03:34.868: RADIUS: authenticator 02 CF 53 0A 6A 62 E5 DB - 2E 96 99 E4 09 D8 2E B1
*Sep 20 22:03:34.868: RADIUS(00000792): Received from id 1645/56
*Sep 20 22:03:34.869: RADIUS/ENCODE(00000792):Orig. component type = PPPoE
*Sep 20 22:03:34.869: RADIUS: DSL line rate attributes successfully added
*Sep 20 22:03:34.869: RADIUS(00000792): Config NAS IP: 0.0.0.0
*Sep 20 22:03:34.869: RADIUS(00000792): Config NAS IPv6: ::
*Sep 20 22:03:34.869: RADIUS/ENCODE(00000792): acct_session_id: 3411
*Sep 20 22:03:34.869: RADIUS(00000792): sending
*Sep 20 22:03:34.870: RADIUS/ENCODE: Best Local IP-Address 206.251.40.52 for Radius-Server 208.98.188.6
*Sep 20 22:03:34.870: RADIUS(00000792): Sending a IPv4 Radius Packet
*Sep 20 22:03:34.870: RADIUS(00000792): Send Access-Request to 208.98.188.6:1812 id 1645/57,len 139
*Sep 20 22:03:34.870: RADIUS: authenticator 8D 12 A1 E3 30 52 B0 F5 - 1C CD 8F 60 49 E9 F4 26
*Sep 20 22:03:34.870: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Sep 20 22:03:34.870: RADIUS: User-Name [1] 19 "[email protected]"
*Sep 20 22:03:34.870: RADIUS: User-Password [2] 18 *
*Sep 20 22:03:34.870: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 22:03:34.870: RADIUS: NAS-Port [5] 6 0
*Sep 20 22:03:34.870: RADIUS: NAS-Port-Id [87] 11 "0/0/3/111"
*Sep 20 22:03:34.870: RADIUS: Vendor, Cisco [26] 41
*Sep 20 22:03:34.870: RADIUS: Cisco AVpair [1] 35 "client-mac-address=6468.0cf7.8546"
*Sep 20 22:03:34.870: RADIUS: Service-Type [6] 6 Framed [2]
*Sep 20 22:03:34.870: RADIUS: NAS-IP-Address [4] 6 206.251.40.52
*Sep 20 22:03:34.870: RADIUS(00000792): Started 60 sec timeout
*Sep 20 22:03:34.894: RADIUS: Received from id 1645/57 208.98.188.6:1812, Access-Accept, len 44
*Sep 20 22:03:34.894: RADIUS: authenticator AC 92 A9 7C 1F CB 46 6B - F6 68 03 D8 AF 0B F0 F5
*Sep 20 22:03:34.894: RADIUS: Vendor, Cisco [26] 24
*Sep 20 22:03:34.894: RADIUS: Cisco AVpair [1] 18 "ip:vrf-id=CV_VRF"
*Sep 20 22:03:34.894: RADIUS(00000792): Received from id 1645/57
*Sep 20 22:03:34.902: [911]PPPoE 1912: State LCP_NEGOTIATION Event SSS CONNECT LOCAL
*Sep 20 22:03:34.904: [911]PPPoE 1912: Segment (SSS class): UPDATED
*Sep 20 22:03:34.904: [911]PPPoE 1912: Segment (SSS class): BOUND
*Sep 20 22:03:34.904: [911]PPPoE 1912: data path set to Virtual Acess
*Sep 20 22:03:34.905: [911]PPPoE 1912: State LCP_NEGOTIATION Event SSM UPDATED
*Sep 20 22:03:34.905: [911]PPPoE 1912: AAA get dynamic attrs
*Sep 20 22:03:34.906: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 20 22:03:34.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Sep 20 22:03:34.907: RADIUS/ENCODE(00000792):Orig. component type = PPPoE
*Sep 20 22:03:34.907: RADIUS(00000792): Config NAS IP: 0.0.0.0
*Sep 20 22:03:34.907: RADIUS(00000792): Config NAS IPv6: ::
*Sep 20 22:03:34.907: RADIUS(00000792): sending
*Sep 20 22:03:34.907: [911]PPPoE 1912: State PTA_BINDING Event STATIC BIND RESPONSE
*Sep 20 22:03:34.907: [911]PPPoE 1912: Connected PTA
*Sep 20 22:03:34.908: RADIUS/ENCODE: Best Local IP-Address 206.251.40.52 for Radius-Server 208.98.188.6
*Sep 20 22:03:34.913: RADIUS(00000792): Sending a IPv4 Radius Packet
*Sep 20 22:03:34.913: RADIUS(00000792): Send Accounting-Request to 208.98.188.6:1813 id 1646/72,len 189
*Sep 20 22:03:34.913: RADIUS: authenticator 5B 19 2B 31 5B 6C E7 46 - 5D 69 8D 66 99 13 2E F0
*Sep 20 22:03:34.913: RADIUS: Acct-Session-Id [44] 10 "00000D53"
*Sep 20 22:03:34.913: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Sep 20 22:03:34.913: RADIUS: User-Name [1] 19 "[email protected]"
*Sep 20 22:03:34.913: RADIUS: Vendor, Cisco [26] 32
*Sep 20 22:03:34.913: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
*Sep 20 22:03:34.913: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Sep 20 22:03:34.913: RADIUS: Acct-Status-Type [40] 6 Start [1]
*Sep 20 22:03:34.913: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Sep 20 22:03:34.913: RADIUS: NAS-Port [5] 6 0
*Sep 20 22:03:34.913: RADIUS: NAS-Port-Id [87] 11 "0/0/3/111"
*Sep 20 22:03:34.913: RADIUS: Vendor, Cisco [26] 41
*Sep 20 22:03:34.913: RADIUS: Cisco AVpair [1] 35 "client-mac-address=6468.0cf7.8546"
*Sep 20 22:03:34.913: RADIUS: Connect-Info [77] 8 "CV_VRF"
*Sep 20 22:03:34.913: RADIUS: Service-Type [6] 6 Framed [2]
*Sep 20 22:03:34.913: RADIUS: NAS-IP-Address [4] 6 206.251.40.52
*Sep 20 22:03:34.914: RADIUS: Acct-Delay-Time [41] 6 0
*Sep 20 22:03:34.914: RADIUS(00000792): Started 60 sec timeout
*Sep 20 22:03:34.994: RADIUS: Received from id 1646/72 208.98.188.6:1813, Accounting-response, len 20
*Sep 20 22:03:34.994: RADIUS: authenticator 8E E3 AD 24 76 EA C2 53 - AD 0F DD 57 AC 0D F3 BAsho debug
coreASR1002#sho debugging
General OS:
AAA subscriber profile cli debugging is on
PPPoE:
PPPoE protocol events debugging is on
PPPoE protocol errors debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is onGood Day Manuel,
"...client is not getting IP address even though the sessions seems to be up. Is this correct?" Correct.
What I am seeing and suspecting is the problem has to do with 'ip:ip-unnumbered=interface'.
Trying with the ip:ip-unnumbered=Loopback111 or GigabitEthernet0/0/3.111 (for testing) debugging reports "Session creation failed due to full virtual-access interfaces not being supported...", as soon as the attribute is removed in radius the client authenticates but does not get an IP address. I would rather not use Loopback if possible.
GE0/0/3.111 is basically the client egress and GE0/0/2.20 is the ingress/router gateway
Also seeing this debug message, "...Unable to add line attributes from ANCP ... Unable to Add ANCP Line attributes to the PPPoE Authen attributes" which may or may not relate to ip-unnumbered attribute.
I hope the information isn't too much or confusing, sure appreciate the help.
debugging with ip:vrf-id=CV_VRF w/o ip:ip-unnumbered
*Sep 26 17:04:57.395: Vi3 PPP DISC: Lower Layer disconnected
*Sep 26 17:04:57.396: Vi3 PPP: Sending Acct Event[Down] id[5FB]
*Sep 26 17:04:57.396: PPP: NET STOP send to AAA.
*Sep 26 17:04:57.396: Vi3 LCP: O TERMREQ [Open] id 4 len 4
*Sep 26 17:04:57.396: Vi3 LCP: Event[CLOSE] State[Open to Closing]
*Sep 26 17:04:57.396: Vi3 PPP: Phase is TERMINATING
*Sep 26 17:04:57.397: Vi3 PPP: Block vaccess from being freed [0x10]
*Sep 26 17:04:57.398: Vi3 LCP: Event[DOWN] State[Closing to Initial]
*Sep 26 17:04:57.399: Vi3 PPP: Unlocked by [0x10] Still Locked by [0x0]
*Sep 26 17:04:57.399: Vi3 PPP: Free previously blocked vaccess
*Sep 26 17:04:57.399: Vi3 PPP: Phase is DOWN
*Sep 26 17:04:57.400: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 26 17:04:57.401: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Sep 26 17:05:03.440: PPP: Alloc Context [38E95CFC]
*Sep 26 17:05:03.440: ppp514 PPP: Phase is ESTABLISHING
*Sep 26 17:05:03.440: ppp514 PPP: Using vpn set call direction
*Sep 26 17:05:03.440: ppp514 PPP: Treating connection as a callin
*Sep 26 17:05:03.440: ppp514 PPP: Session handle[1D0005EB] Session id[514]
*Sep 26 17:05:03.440: ppp514 LCP: Event[OPEN] State[Initial to Starting]
*Sep 26 17:05:03.441: ppp514 PPP LCP: Enter passive mode, state[Stopped]
*Sep 26 17:05:04.522: ppp514 LCP: I CONFREQ [Stopped] id 180 len 10
*Sep 26 17:05:04.522: ppp514 LCP: MagicNumber 0x0669ECAE (0x05060669ECAE)
*Sep 26 17:05:04.522: ppp514 LCP: O CONFREQ [Stopped] id 1 len 18
*Sep 26 17:05:04.522: ppp514 LCP: MRU 1492 (0x010405D4)
*Sep 26 17:05:04.522: ppp514 LCP: AuthProto PAP (0x0304C023)
*Sep 26 17:05:04.522: ppp514 LCP: MagicNumber 0x6ABFFB9F (0x05066ABFFB9F)
*Sep 26 17:05:04.522: ppp514 LCP: O CONFACK [Stopped] id 180 len 10
*Sep 26 17:05:04.522: ppp514 LCP: MagicNumber 0x0669ECAE (0x05060669ECAE)
*Sep 26 17:05:04.522: ppp514 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
*Sep 26 17:05:04.525: ppp514 LCP: I CONFACK [ACKsent] id 1 len 18
*Sep 26 17:05:04.526: ppp514 LCP: MRU 1492 (0x010405D4)
*Sep 26 17:05:04.526: ppp514 LCP: AuthProto PAP (0x0304C023)
*Sep 26 17:05:04.526: ppp514 LCP: MagicNumber 0x6ABFFB9F (0x05066ABFFB9F)
*Sep 26 17:05:04.526: ppp514 LCP: Event[Receive ConfAck] State[ACKsent to Open]
*Sep 26 17:05:04.528: ppp514 PPP: Queue PAP code[1] id[15]
*Sep 26 17:05:04.529: ppp514 PPP: Phase is AUTHENTICATING, by this end
*Sep 26 17:05:04.529: ppp514 PAP: Redirect packet to ppp514
*Sep 26 17:05:04.529: ppp514 PAP: I AUTH-REQ id 15 len 31 from "[email protected]"
*Sep 26 17:05:04.529: ppp514 PAP: Authenticating peer [email protected]
*Sep 26 17:05:04.529: ppp514 PPP: Phase is FORWARDING, Attempting Forward
*Sep 26 17:05:04.529: ppp514 LCP: State is Open
*Sep 26 17:05:05.553: ppp514 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Sep 26 17:05:05.553: ppp514 PPP: Sent PAP LOGIN Request
*Sep 26 17:05:05.584: ppp514 PPP: Received LOGIN Response PASS
*Sep 26 17:05:05.584: ppp514 PPP: Phase is FORWARDING, Attempting Forward
*Sep 26 17:05:05.594: Vi3 PPP: Phase is AUTHENTICATING, Authenticated User
*Sep 26 17:05:05.594: Vi3 PAP: O AUTH-ACK id 15 len 5
*Sep 26 17:05:05.595: Vi3 PPP: Phase is UP
*Sep 26 17:05:05.595: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 26 17:05:05.596: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Sep 26 17:05:05.606: Vi3 IPCP: I CONFREQ [UNKNOWN] id 44 len 22
*Sep 26 17:05:05.606: Vi3 IPCP: Address 0.0.0.0 (0x030600000000)
*Sep 26 17:05:05.606: Vi3 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Sep 26 17:05:05.606: Vi3 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Sep 26 17:05:05.606: Vi3 LCP: O PROTREJ [Open] id 2 len 28 protocol IPCP
*Sep 26 17:05:05.606: Vi3 LCP: (0x012C0018030600000000810600000000)
*Sep 26 17:05:05.606: Vi3 LCP: (0x830600000000)
*Sep 26 17:05:05.607: Vi3 IPV6CP: I CONFREQ [UNKNOWN] id 26 len 14
*Sep 26 17:05:05.607: Vi3 IPV6CP: Interface-Id 5421:6C1B:5DCE:401A (0x010A54216C1B5DCE401A)
*Sep 26 17:05:05.607: Vi3 LCP: O PROTREJ [Open] id 3 len 20 protocol IPV6CP (0x011A0010010A54216C1B5DCE401A) debugging w/o ip:vrf-id=CV_VRF w/o ip:ip-unnumbered
*Sep 26 17:13:12.424: Vi3 PPP DISC: Lower Layer disconnected
*Sep 26 17:13:12.424: Vi3 PPP: Sending Acct Event[Down] id[5FE]
*Sep 26 17:13:12.425: PPP: NET STOP send to AAA.
*Sep 26 17:13:12.425: Vi3 LCP: O TERMREQ [Open] id 4 len 4
*Sep 26 17:13:12.425: Vi3 LCP: Event[CLOSE] State[Open to Closing]
*Sep 26 17:13:12.425: Vi3 PPP: Phase is TERMINATING
*Sep 26 17:13:12.426: Vi3 PPP: Block vaccess from being freed [0x10]
*Sep 26 17:13:12.426: Vi3 LCP: Event[DOWN] State[Closing to Initial]
*Sep 26 17:13:12.428: Vi3 PPP: Unlocked by [0x10] Still Locked by [0x0]
*Sep 26 17:13:12.428: Vi3 PPP: Free previously blocked vaccess
*Sep 26 17:13:12.428: Vi3 PPP: Phase is DOWN
*Sep 26 17:13:12.429: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 26 17:13:12.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Sep 26 17:13:18.485: PPP: Alloc Context [38E95CFC]
*Sep 26 17:13:18.485: ppp515 PPP: Phase is ESTABLISHING
*Sep 26 17:13:18.486: ppp515 PPP: Using vpn set call direction
*Sep 26 17:13:18.486: ppp515 PPP: Treating connection as a callin
*Sep 26 17:13:18.486: ppp515 PPP: Session handle[AC0005EC] Session id[515]
*Sep 26 17:13:18.486: ppp515 LCP: Event[OPEN] State[Initial to Starting]
*Sep 26 17:13:18.486: ppp515 PPP LCP: Enter passive mode, state[Stopped]
*Sep 26 17:13:19.572: ppp515 LCP: I CONFREQ [Stopped] id 181 len 10
*Sep 26 17:13:19.572: ppp515 LCP: MagicNumber 0x171E542B (0x0506171E542B)
*Sep 26 17:13:19.572: ppp515 LCP: O CONFREQ [Stopped] id 1 len 18
*Sep 26 17:13:19.572: ppp515 LCP: MRU 1492 (0x010405D4)
*Sep 26 17:13:19.572: ppp515 LCP: AuthProto PAP (0x0304C023)
*Sep 26 17:13:19.572: ppp515 LCP: MagicNumber 0x6AC78AB2 (0x05066AC78AB2)
*Sep 26 17:13:19.572: ppp515 LCP: O CONFACK [Stopped] id 181 len 10
*Sep 26 17:13:19.572: ppp515 LCP: MagicNumber 0x171E542B (0x0506171E542B)
*Sep 26 17:13:19.572: ppp515 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
*Sep 26 17:13:19.576: ppp515 LCP: I CONFACK [ACKsent] id 1 len 18
*Sep 26 17:13:19.576: ppp515 LCP: MRU 1492 (0x010405D4)
*Sep 26 17:13:19.576: ppp515 LCP: AuthProto PAP (0x0304C023)
*Sep 26 17:13:19.576: ppp515 LCP: MagicNumber 0x6AC78AB2 (0x05066AC78AB2)
*Sep 26 17:13:19.576: ppp515 LCP: Event[Receive ConfAck] State[ACKsent to Open]
*Sep 26 17:13:19.579: ppp515 PPP: Queue PAP code[1] id[16]
*Sep 26 17:13:19.601: ppp515 PPP: Phase is AUTHENTICATING, by this end
*Sep 26 17:13:19.601: ppp515 PAP: Redirect packet to ppp515
*Sep 26 17:13:19.601: ppp515 PAP: I AUTH-REQ id 16 len 31 from "[email protected]"
*Sep 26 17:13:19.601: ppp515 PAP: Authenticating peer [email protected]
*Sep 26 17:13:19.601: ppp515 PPP: Phase is FORWARDING, Attempting Forward
*Sep 26 17:13:19.601: ppp515 LCP: State is Open
*Sep 26 17:13:20.625: ppp515 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Sep 26 17:13:20.625: ppp515 PPP: Sent PAP LOGIN Request
*Sep 26 17:13:20.650: ppp515 PPP: Received LOGIN Response PASS
*Sep 26 17:13:20.650: ppp515 PPP: Phase is FORWARDING, Attempting Forward
*Sep 26 17:13:20.657: Vi3 PPP: Phase is AUTHENTICATING, Authenticated User
*Sep 26 17:13:20.657: Vi3 PAP: O AUTH-ACK id 16 len 5
*Sep 26 17:13:20.658: Vi3 PPP: Phase is UP
*Sep 26 17:13:20.658: Vi3 IPCP: Protocol configured, start CP. state[Initial]
*Sep 26 17:13:20.658: Vi3 IPCP: Event[OPEN] State[Initial to Starting]
*Sep 26 17:13:20.658: Vi3 IPCP: O CONFREQ [Starting] id 1 len 10
*Sep 26 17:13:20.658: Vi3 IPCP: Address 199.200.107.1 (0x0306C7C86B01)
*Sep 26 17:13:20.658: Vi3 IPCP: Event[UP] State[Starting to REQsent]
*Sep 26 17:13:20.658: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 26 17:13:20.660: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Sep 26 17:13:20.666: Vi3 IPCP: I CONFREQ [REQsent] id 45 len 22
*Sep 26 17:13:20.666: Vi3 IPCP: Address 0.0.0.0 (0x030600000000)
*Sep 26 17:13:20.666: Vi3 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
*Sep 26 17:13:20.666: Vi3 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
*Sep 26 17:13:20.666: Vi3 IPCP AUTHOR: Start. Her address 0.0.0.0, we want 0.0.0.0
*Sep 26 17:13:20.666: Vi3 IPCP AUTHOR: Done. Her address 0.0.0.0, we want 0.0.0.0
*Sep 26 17:13:20.666: Vi3 IPCP: Pool returned 199.200.107.20
*Sep 26 17:13:20.667: Vi3 IPCP: O CONFNAK [REQsent] id 45 len 22
*Sep 26 17:13:20.667: Vi3 IPCP: Address 199.200.107.20 (0x0306C7C86B14)
*Sep 26 17:13:20.667: Vi3 IPCP: PrimaryDNS 208.98.188.81 (0x8106D062BC51)
*Sep 26 17:13:20.667: Vi3 IPCP: SecondaryDNS 8.8.8.8 (0x830608080808)
*Sep 26 17:13:20.667: Vi3 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]
*Sep 26 17:13:20.667: Vi3 IPV6CP: I CONFREQ [UNKNOWN] id 27 len 14
*Sep 26 17:13:20.667: Vi3 IPV6CP: Interface-Id 096D:2933:E6FE:523D (0x010A096D2933E6FE523D)
*Sep 26 17:13:20.667: Vi3 LCP: O PROTREJ [Open] id 2 len 20 protocol IPV6CP (0x011B0010010A096D2933E6FE523D)
*Sep 26 17:13:20.668: Vi3 IPCP: I CONFACK [REQsent] id 1 len 10
*Sep 26 17:13:20.668: Vi3 IPCP: Address 199.200.107.1 (0x0306C7C86B01)
*Sep 26 17:13:20.668: Vi3 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
*Sep 26 17:13:20.672: Vi3 IPCP: I CONFREQ [ACKrcvd] id 46 len 22
*Sep 26 17:13:20.672: Vi3 IPCP: Address 199.200.107.20 (0x0306C7C86B14)
*Sep 26 17:13:20.672: Vi3 IPCP: PrimaryDNS 208.98.188.81 (0x8106D062BC51)
*Sep 26 17:13:20.672: Vi3 IPCP: SecondaryDNS 8.8.8.8 (0x830608080808)
*Sep 26 17:13:20.672: Vi3 IPCP: O CONFACK [ACKrcvd] id 46 len 22
*Sep 26 17:13:20.672: Vi3 IPCP: Address 199.200.107.20 (0x0306C7C86B14)
*Sep 26 17:13:20.672: Vi3 IPCP: PrimaryDNS 208.98.188.81 (0x8106D062BC51)
*Sep 26 17:13:20.672: Vi3 IPCP: SecondaryDNS 8.8.8.8 (0x830608080808)
*Sep 26 17:13:20.672: Vi3 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
*Sep 26 17:13:20.689: Vi3 IPCP: State is Open
*Sep 26 17:13:20.691: %FMANRP_ESS-4-FULLVAI: Session creation failed due to Full Virtual-Access Interfaces not being supported. Check that all applied Virtual-Template and RADIUS features support Virtual-Access sub-interfaces. swidb= 0x41F07370, ifnum= 22
*Sep 26 17:13:20.691: Vi3 Added to neighbor route AVL tree: topoid 0, address 199.200.107.20
*Sep 26 17:13:20.691: Vi3 IPCP: Install route to 199.200.107.20
*Sep 26 17:13:20.693: Vi3 PPP DISC: Lower Layer disconnected
*Sep 26 17:13:20.693: Vi3 PPP: Sending Acct Event[Down] id[5FF]
*Sep 26 17:13:20.693: PPP: NET STOP send to AAA.
*Sep 26 17:13:20.694: Vi3 IPCP: Event[DOWN] State[Open to Starting]
*Sep 26 17:13:20.694: Vi3 IPCP: Event[CLOSE] State[Starting to Initial]
*Sep 26 17:13:20.694: Vi3 LCP: O TERMREQ [Open] id 3 len 4
*Sep 26 17:13:20.694: Vi3 LCP: Event[CLOSE] State[Open to Closing]
*Sep 26 17:13:20.694: Vi3 PPP: Phase is TERMINATING
*Sep 26 17:13:20.695: Vi3 PPP: Block vaccess from being freed [0x10]
*Sep 26 17:13:20.695: Vi3 Deleted neighbor route from AVL tree: topoid 0, address 199.200.107.20
*Sep 26 17:13:20.695: Vi3 IPCP: Remove route to 199.200.107.20
*Sep 26 17:13:20.696: Vi3 LCP: Event[DOWN] State[Closing to Initial]
*Sep 26 17:13:20.696: Vi3 PPP: Unlocked by [0x10] Still Locked by [0x0]
*Sep 26 17:13:20.696: Vi3 PPP: Free previously blocked vaccess
*Sep 26 17:13:20.696: Vi3 PPP: Phase is DOWN
*Sep 26 17:13:20.696: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 26 17:13:20.698: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down -
How to configure RADIUS to give IP address to a PPP client
I need to configure a RADIUS server, ACS if it's suported, to give a pre-defined IP address to a user connecting through PPP.
The NAS asks RADIUS for authentication then receives the accept or reject and some parameter that should tell the NAS the IP address the client will be assigned. (I guess it's this way)
Somebody knows which is this parameter and if it's this easy?
ThanksYes it also works fine. You may try this also.
Before configuring the RADIUS NAS-IP-Address Attribute Configurability feature, you must have configured the RADIUS servers or server groups and AAA method lists. To configure the RADIUS NAS-IP-Address Attribute Configurability feature, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server attribute 4 ip-address
For further information click this link.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_rad_nas_ip_cfg_ps6350_TSD_Products_Configuration_Guide_Chapter -
Authentication failed for realm level_15
hi,
I'm trying to configure HTTP server to authenticate users with AAA platform. I get the following error while trying to connect with Cisco Configuration Pro:
TNRTAGCS01002#
Apr 23 15:29:42.129 CET: HTTP AAA Login-Authentication List name: default
Apr 23 15:29:42.165 CET: HTTP: Authentication failed for realm level_15 or view_access
Apr 23 15:29:42.165 CET: HTTP: Authentication failed for level 15
Apr 23 15:29:44.193 CET: HTTP AAA Login-Authentication List name: default
Apr 23 15:29:44.225 CET: HTTP: Authentication failed for realm level_15 or view_access
Apr 23 15:29:44.225 CET: HTTP: Authentication failed for level 15
Here's the AAA config:
aaa new-model
aaa group server tacacs+ TACACS_group
server {A}
server {B}
tacacs-server host A key A1
tacacs-server host B key B1
ip tacacs source-interface GigabitEthernet0/0.1900
aaa authentication login default group TACACS_group local
aaa authentication enable default none
aaa authorization config-commands
aaa authorization commands 1 default group TACACS_group if-authenticated
aaa authorization commands 15 default group TACACS_group if-authenticated
aaa accounting exec default
action-type start-stop
group TACACS_groupHi,
Yes, local authentication does work.
I added below the HTTP configuration:
ip http server
ip http authentication aaa login-authentication default
no ip http secure-server
I thought that HTTP would use the default method list for authentication. Is that possible or should I define a seperate AAA method list?
By the way, I always rate helpful posts -
ISG service authorization question
Hi everybody! Need you help!
I can't figure out how to authorize services for different PPPoE users (binded to diferent Virtual Template/bba-groups) on different RADIUS-servers..
I'v got the following config (some lines are removed):
#2 radius-groups
aaa group server radius PPPOE
server name PPPOE
aaa group server radius test_PPPOE
server name test_PPPOE
# AAA
aaa authentication login default local
aaa authentication ppp PPPOE group PPPOE
aaa authentication ppp test_PPPOE group test_PPPOE
aaa authorization network PPPOE group PPPOE
aaa authorization network test_PPPOE group test_PPPOE
aaa authorization subscriber-service default group PPPOE
aaa authorization subscriber-service test_PPPOE group test_PPPOE
aaa accounting network PPPOE start-stop group PPPOE
aaa accounting network test_PPPOE start-stop group test_PPPOE
# 2 bba-groups
bba-group pppoe PPPOE
virtual-template 1
bba-group pppoe test_PPPOE
virtual-template 2
# 2 virtual templates
interface Virtual-Template1
ip unnumbered Loopback10
peer default ip address pool PPPOE_POOL
ppp authentication chap pap PPPOE
ppp authorization PPPOE
ppp accounting PPPOE
interface Virtual-Template2
ip unnumbered Loopback11
peer default ip address pool PPPOE_POOL
ppp authentication chap pap test_PPPOE
ppp authorization test_PPPOE
ppp accounting test_PPPOE
Services are defined on 2 external RADIUS-servers.
Users binded with virtual-template1 (bba-group PPPOE) are authenticated and authorized by AAA method lists "PPPOE". Their services, recieved from external RADIUS server (aaa group server radius PPPOE) are authorized with defaul method list "aaa authorization subscriber-service default group PPPOE".
Users binded with virtual-template2 (bba-group test_PPPOE) are authenticated and authorized by AAA method lists "test_PPPOE". But i can't figure out how to authorize their services recieved from external RADIUS server (aaa group server radius test_PPPOE) with method list "aaa authorization subscriber-service test_PPPOE group test_PPPOE". What do i need to bind with it?
Will appreciate any help!
Thank you!Hello Raja Subramanian,
If you mark 0plant as authorizationRelevant all InfoCubes that have 0plant will also being checked for that authorization.
If you want to only restrict one InfoCube you have to do it separatly.
Let me give you a example:
You have InfoCubes:
A
B
C
D
All these four InfoCubes have 0plant inside. You mark 0plant as AuthorizationRelevant but you want to restrict only InfoCube B with values from 0plant, let's say 0plant value '110'. For the other Infocubes you don't want to restrict 0plant.
In that case you would create an authorization in RSECADMIN that will have 0TCAIPROV = 'B' and 0plant = '110'.
You would also create authorization for RSECADMIN for the others InfoProviders (it could be the same authorization for all the others or separate authorizations) with:
0TCAIPROV = 'A'
0TCAIPROV = 'C'
0TCAIPROV = 'D'
0plant = *
In this case everytime a user executes a query over B he would have to insert '110' as value for 0plant otherwise he would receive a lack of authorization. Everytime a user executes a query over A, C or D, he doesn't have to insert nothing in 0plant because he is allowed to see all the values for 0plant.
Please assign points,
Diogo. -
Hello. I cant get Per-session VRF feature working with IPv6 protocol. IPv4 is working fine.
Here is what i've got:
test1 Cleartext-Password := "test"
Framed-Protocol = PPP,
Service-Type == Framed-User,
Cisco-AVPair += "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool_vrf_no_nat",
Cisco-AVPair += "ip:vrf-id=NoNAT",
Cisco-AVPair += "ip:ip-unnumbered=Loopback1",
Cisco-AVPair += "ip:addr-pool=real"
Cisco-AVPair += "ipv6:ipv6-addr-pool=ppp_link_v6_pool_vrf_no_nat"
test2 Cleartext-Password := "test"
Framed-Protocol = PPP,
Service-Type == Framed-User,
Cisco-AVPair += "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool",
Cisco-AVPair += "lcp:interface-config=ip nat inside"
#sho run
interface Loopback0
ip address ****
ipv6 address 2001:DB8::20/128
ipv6 enable
interface Loopback1
vrf forwarding NoNAT
ip address *****
ipv6 address 2001:DB8::21/128
ipv6 enable
ipv6 dhcp pool AAA_dhcpv6_pool
prefix-delegation aaa method-list FREERADIUS
ip local pool pool192_168 192.168.128.0 192.168.255.254
ip local pool real *.*.*.* *.*.*.*
ipv6 local pool ppp_delegate_56_v6_pool 2001:DB8:3::/48 56
ipv6 local pool ppp_link_v6_pool 2001:DB8:1::/49 64
ipv6 local pool ppp_delegate_56_v6_pool_vrf_no_nat 2001:DB8:6::/48 56
ipv6 local pool ppp_link_v6_pool_vrf_no_nat 2001:DB8:4::/49 64
interface Virtual-Template1
ip unnumbered Loopback0
ipv6 unnumbered Loopback0
ipv6 enable
no ipv6 nd ra suppress
ipv6 dhcp server AAA_dhcpv6_pool
peer default ip address pool pool192_168
peer default ipv6 pool ppp_link_v6_pool
! non-related config skipped
User test2 receive IPv4 private address and full IPv6 service: address negotiated on the link and delegation DHCPv6 service.
User test1 receive IPv4 real address only and no IPv6 at all.
Here is the debug, take a look at the bold line:
Jul 8 10:13:41: RADIUS(000000DF): Send Access-Request to 10.0.6.10:1812 id 1645/139, len 207
Jul 8 10:13:41: RADIUS: authenticator B8 8A 07 F3 D8 90 A5 FE - B0 10 9F 51 B2 4F 7E 0A
Jul 8 10:13:41: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 8 10:13:41: RADIUS: User-Name [1] 6 "test"
Jul 8 10:13:41: RADIUS: CHAP-Password [3] 19 *
Jul 8 10:13:41: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jul 8 10:13:41: RADIUS: NAS-Port [5] 6 0
Jul 8 10:13:41: RADIUS: NAS-Port-Id [87] 13 "0/1/0/2.301"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 41
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 35 "client-mac-address=5254.0018.9fb1"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 39
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 33 "circuit-id-tag=SNR eth 001,0301"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 39
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 33 "remote-id-tag=f8-f0-82-10-9b-9d"
Jul 8 10:13:41: RADIUS: Service-Type [6] 6 Framed [2]
Jul 8 10:13:41: RADIUS: NAS-IP-Address [4] 6 10.0.6.21
Jul 8 10:13:41: RADIUS(000000DF): Sending a IPv4 Radius Packet
Jul 8 10:13:41: RADIUS(000000DF): Started 5 sec timeout
Jul 8 10:13:41: RADIUS: Received from id 1645/139 10.0.6.10:1812, Access-Accept, len 236
Jul 8 10:13:41: RADIUS: authenticator 9C E6 3B 43 A3 58 06 AB - 17 99 AD 06 FF C6 9A 35
Jul 8 10:13:41: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jul 8 10:13:41: RADIUS: Service-Type [6] 6 Framed [2]
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 67
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 61 "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool_vrf_no_nat"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 23
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 17 "ip:vrf-id=NoNAT"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 34
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 28 "ip:ip-unnumbered=Loopback1"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 25
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 19 "ip:addr-pool=real"
Jul 8 10:13:41: RADIUS: Vendor, Cisco [26] 55
Jul 8 10:13:41: RADIUS: Cisco AVpair [1] 49 "ipv6:ipv6-addr-pool=ppp_link_v6_pool_vrf_no_nat"
Jul 8 10:13:41: RADIUS(000000DF): Received from id 1645/139
Jul 8 10:13:41: ppp202 PPP SSS: Forwarding request
Jul 8 10:13:41: ppp202 PPP: Phase is FORWARDING, Attempting Forward
Jul 8 10:13:41: PPP: Bind ppp202 to Virtual-Access2.1
Jul 8 10:13:41: Vi2.1 PPP: Static Bind peer_type[3]
Jul 8 10:13:41: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User
Jul 8 10:13:41: Vi2.1 CHAP: O SUCCESS id 1 len 4
Jul 8 10:13:41: Vi2.1 PPP: Phase is UP
Jul 8 10:13:41: Vi2.1 IPCP: Protocol configured, start CP. state[Initial]
Jul 8 10:13:41: Vi2.1 IPCP: Event[OPEN] State[Initial to Starting]
Jul 8 10:13:41: Vi2.1 IPCP: O CONFREQ [Starting] id 1 len 10
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.8 (0x0306B92EC408)
Jul 8 10:13:41: Vi2.1 IPCP: Event[UP] State[Starting to REQsent]
Jul 8 10:13:41: Vi2.1 PPP: Send Message[Static Bind Response]
Jul 8 10:13:41: Vi2.1 IPCP: I CONFREQ [REQsent] id 1 len 22
Jul 8 10:13:41: Vi2.1 IPCP: Address 0.0.0.0 (0x030600000000)
Jul 8 10:13:41: Vi2.1 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000)
Jul 8 10:13:41: Vi2.1 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000)
Jul 8 10:13:41: Vi2.1 IPCP AUTHOR: Start. Her address 0.0.0.0, we want 0.0.0.0
Jul 8 10:13:41: Vi2.1 IPCP AUTHOR: Says use pool real
Jul 8 10:13:41: Vi2.1 IPCP AUTHOR: Pool returned *.*.*.11
Jul 8 10:13:41: Vi2.1 IPCP AUTHOR: Done. Her address 0.0.0.0, we want *.*.*.11
Jul 8 10:13:41: Vi2.1 IPCP: O CONFNAK [REQsent] id 1 len 22
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.11 (0x0306B92EC50B)
Jul 8 10:13:41: Vi2.1 IPCP: PrimaryDNS 8.8.8.8 (0x810608080808)
Jul 8 10:13:41: Vi2.1 IPCP: SecondaryDNS 8.8.4.4 (0x830608080404)
Jul 8 10:13:41: Vi2.1 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]
Jul 8 10:13:41: Vi2.1 IPV6CP: I CONFREQ [UNKNOWN] id 1 len 14
Jul 8 10:13:41: Vi2.1 IPV6CP: Interface-Id 11BF:9891:6F31:7C15 (0x010A11BF98916F317C15)
Jul 8 10:13:41: Vi2.1 LCP: O PROTREJ [Open] id 2 len 20 protocol IPV6CP (0x0101000E010A11BF98916F317C15)
Jul 8 10:13:41: Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.8 (0x0306B92EC408)
Jul 8 10:13:41: Vi2.1 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
Jul 8 10:13:41: Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 22
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.11 (0x0306B92EC50B)
Jul 8 10:13:41: Vi2.1 IPCP: PrimaryDNS 8.8.8.8 (0x810608080808)
Jul 8 10:13:41: Vi2.1 IPCP: SecondaryDNS 8.8.4.4 (0x830608080404)
Jul 8 10:13:41: Vi2.1 IPCP: O CONFACK [ACKrcvd] id 2 len 22
Jul 8 10:13:41: Vi2.1 IPCP: Address *.*.*.11 (0x0306B92EC50B)
Jul 8 10:13:41: Vi2.1 IPCP: PrimaryDNS 8.8.8.8 (0x810608080808)
Jul 8 10:13:41: Vi2.1 IPCP: SecondaryDNS 8.8.4.4 (0x830608080404)
Jul 8 10:13:41: Vi2.1 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
Jul 8 10:13:41: Vi2.1 IPCP: State is Open
Jul 8 10:13:41: Vi2.1 Added to neighbor route AVL tree: topoid 2, address *.*.*.11
Jul 8 10:13:41: Vi2.1 IPCP: Install route to *.*.*.11
Jul 8 10:13:41: RADIUS/ENCODE(000000DF):Orig. component type = PPPoE
Jul 8 10:13:41: RADIUS(000000DF): Config NAS IP: 10.0.6.21
Jul 8 10:13:41: RADIUS(000000DF): Config NAS IPv6: ::
Jul 8 10:13:41: RADIUS(000000DF): sending
Jul 8 10:13:41: RADIUS(000000DF): Send Accounting-Request to 10.0.6.10:1813 id 1646/109, len 264
Any suggestions?Fixed one problem and moved into other.
I've added
Cisco-AVPair += "lcp:interface-config=ipv6 unnumbered Loopback1"
to user profile, but stumbled into another problem: router ignores
Cisco-AVPair += "ipv6:ipv6-addr-pool=ppp_link_v6_pool"
regardless of vrf, even on usual user profile -
Nov 19 11:12:17 EET: ppp8272 PPP: Sent PAP LOGIN Request PPPOE problem
a session stays in LCP and the debug is :
Nov 19 11:43:20 EET: PPPoE 0: I PADI R:0015.0c44.e6c4 L:ffff.ffff.ffff 1470 Gi1/1/0.1470
Nov 19 11:43:20 EET: Service tag: NULL Tag
Nov 19 11:43:20 EET: PPPoE 0: O PADO, R:001b.53c3.1d24 L:0015.0c44.e6c4 1470 Gi1/1/0.1470
Nov 19 11:43:20 EET: Service tag: NULL Tag
Nov 19 11:43:20 EET: PPPoE 0: I PADR R:0015.0c44.e6c4 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:20 EET: Service tag: NULL Tag
Nov 19 11:43:20 EET: PPPoE : encap string prepared
Nov 19 11:43:20 EET: [12789]PPPoE 59193: Access IE handle allocated
Nov 19 11:43:20 EET: [12789]PPPoE 59193: AAA get retrieved attrs
Nov 19 11:43:20 EET: [12789]PPPoE 59193: AAA get nas port details
Nov 19 11:43:20 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:20 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:20 EET: [12789]PPPoE 59193: AAA unique ID allocated
Nov 19 11:43:20 EET: [12789]PPPoE 59193: AAA method list set
Nov 19 11:43:20 EET: [12789]PPPoE 59193: Service request sent to SSS
Nov 19 11:43:20 EET: [12789]PPPoE 59193: Created, Service: None R:001b.53c3.1d24 L:0015.0c44.e6c4 1470 Gi1/1/0.1470
Nov 19 11:43:20 EET: [12789]PPPoE 59193: State NAS_PORT_POLICY_INQUIRY Event SSS MORE KEYS
Nov 19 11:43:20 EET: [12789]PPPoE 59193: data path set to PPP
Nov 19 11:43:20 EET: [12789]PPPoE 59193: Segement (SSS class): PROVISION
Nov 19 11:43:20 EET: [12789]PPPoE 59193: State PROVISION_PPP Event SSM PROVISIONED
Nov 19 11:43:20 EET: [12789]PPPoE 59193: O PADS R:0015.0c44.e6c4 L:001b.53c3.1d24 Gi1/1/0.1470
Nov 19 11:43:21 EET: PPPoE 0: I PADR R:0015.0c44.e6c4 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:21 EET: Service tag: NULL Tag
Nov 19 11:43:21 EET: [12789]PPPoE 59193: O PADS R:0015.0c44.e6c4 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:22 EET: PPPoE 0: I PADR R:0015.0c44.e6c4 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:22 EET: Service tag: NULL Tag
Nov 19 11:43:22 EET: [12789]PPPoE 59193: O PADS R:0015.0c44.e6c4 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:25 EET: [1564]PPPoE 59133: AAA get dynamic attrs
Nov 19 11:43:25 EET: [1564]PPPoE 59133: AAA get dynamic attrs
Nov 19 11:43:25 EET: PPPoE 59133: I PADT R:0015.0c7f.3617 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:25 EET: [1564]PPPoE 59133: Destroying R:0015.0c7f.3617 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:25 EET: PPPoE: Returning Vaccess Virtual-Access1.5542
Nov 19 11:43:25 EET: [1564]PPPoE 59133: AAA get dynamic attrs
Nov 19 11:43:25 EET: [1564]PPPoE 59133: AAA get dynamic attrs
Nov 19 11:43:25 EET: [1564]PPPoE 59133: AAA account stopped
Nov 19 11:43:25 EET: [1564]PPPoE 59133: Segement (SSS class): UNPROVISION
Nov 19 11:43:26 EET: PPPoE 59133: I PADT R:0015.0c7f.3617 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:29 EET: [12789]PPPoE 59193: O PADT R:0015.0c44.e6c4 L:001b.53c3.1d24 Gi1/1/0.1470
Nov 19 11:43:29 EET: [12789]PPPoE 59193: Destroying R:0015.0c44.e6c4 L:001b.53c3.1d24 1470 Gi1/1/0.1470
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA get dynamic attrs
Nov 19 11:43:29 EET: [12789]PPPoE 59193: AAA account stopped
Nov 19 11:43:29 EET: [12789]PPPoE 59193: Segement (SSS class): UNPROVISION
Nov 19 11:43:29 EET: PPPoE 59193: I PADT R:0015.0c44.e6c4 L:001b.53c3.1d24 1470 Gi1/1/0.1470
sh pppoe session | in e6c4
9040 61583 0015.0c44.e6c4 Gi1/1/0.1470 1 N/A LCP
Does anyone understands why the session stays to LCP and it is terminated?I have already tried a debug ppp negotiation and a debug radius authentication, but i do not seem to get the user's username....And after all the ppp stops in LCP. I run a certain pppoe debug and i watched the user changing from PADI to PADO all the time. Is there a chance to have a problem in the dlsam?
-
AAA login authentication methods
Hello guys,
I've noticed a strange behaviour with AAA authentication login.
My AAA configuration for login authentication is: aaa authentication login default group tacacs+ local
No tacacs server exists, but username and password in local database does. Indeed everything works fine when I log in: aaa authentication login default group tacacs+ local line none
The problem comes up when I add to the method list line and none authentication methods.
In this case, when I log into the switch (via console for example), and I'm asked for username, there is no validation of the username, I mean to say, I can put whatever username and been granted access.
Conclusion: According to my aaa authentication list, method line or none should not be used unless tacacs and local are not available. In this case, local method is available and should fail so login should be rejected, but it jumps to the next method, finally giving access.
Is this a bug in AAA? or am I misunderstanding something.
Thanks a lot.Only exec-timeout command, so it applies the default list defined by aaa.
When I remove the none, authentication fails. I've debugged AAA authentication and shows:
User Access Verification
Username:
Jul 5 18:16:48.329 METDST: AAA/BIND(00000035): Bind i/f
Jul 5 18:16:49.493 METDST: AAA/AUTHEN/LOGIN (00000035): Pick method list 'default' adsf
Jul 5 18:16:56.382 METDST: AAA/AUTHEN/LINE(00000035): FAIL - Line password not found
% Authentication failed
Username:
Local authentication method is being bypassed.
If I configure a password under line con 0, I've access regardless of the username, so no local authentication is being enforced as well.
Thanks.
Maybe you are looking for
-
Errors all the time in Outlook 2010?
Hi, For the past 2 days I cannot recieve or send emails at all on one of my laptops but on the other it does work fine. They both have the same set ups using MS Outlook 2010 but the other latop is on Windows 7 and this one is on windows 8.1 which doe
-
Accessing a form created in FormsCentral that is saved locally
Accessing a form created in FormsCentral that is saved locally - how do I do this if the form was not created on this computer?
-
I have accidentally sent all my iPhoto Library to the trash and deleted it. Is there a way to recover the files knowing that I don't save on Time Machine? Help me please, I am desesperate?
-
Need Document Fonts in .TXT format
Hi All, I am trying a script which is in "InDesignCS3_ScriptingGuide_JS" related to font list. My requirement: How can we get documents font list in .txt format. Trying Code is below: //To display font name (working fine) var myDocument = app.activeD
-
1. I want to do following: Select material_no from mara where material_type in (u2018XXXu2019, u2018YYYu2019, u2018ZZZu2019) Where material_no, mateial_type will re replaced by the actual field names. Is it possible to do that in OPEN SQL or do