--- Begin Message ---
Hi Scott
Yes you need to check all your attributes being passed because they are
different for the 9ks with respect to 1ks
For example
ip:ip-unnumbered=loopback 0 would need to be ipv4:ipv4-unnumbered=loopback 0
to send routes you need to use framed-route and not cisco avpair ip:route
and several others
one that took us awhile to find was needing service-type outbound-user to set
up l2tp tunnels out to some of our customers.
And as Tom said if one attributes comes in that is not accepted the user will
not come up.
So make sure to test well
Brian
> -----Original Message-----
> From: cisco-nsp [mailto:[email protected]] On Behalf Of
> Tom Chambers
> Sent: Saturday, April 25, 2020 5:32 AM
> To: Scott Miller <[email protected]>
> Cc: cisco-nsp <[email protected]>
> Subject: Re: [c-nsp] ASR 9010 BNG setup
>
> The attribute list there is to just accept the attributes from the RADIUS
> server
> defined in that list, if you don’t have one configured then the BNG will
> accept
> all from the RADIUS server.
>
> You might want to use them depending on your setup; when an IOS-XR device
> receives an unsupported attribute from the RADIUS server it won’t
> authenticate the subscriber session and will remain down, whereas IOS-XE will
> ignore the unsupported attributes and authenticate the subscriber regardless.
>
> You may find this interesting/useful https://community.cisco.com/t5/service-
> providers-documents/asr9000-xr-bng-deployment-guide/ta-p/3110436
>
> Regards,
> Tom
>
> From: Scott Miller <[email protected]>
> Sent: 24 April 2020 23:24
> To: Tom Chambers <[email protected]>
> Cc: cisco-nsp <[email protected]>
> Subject: Re: [c-nsp] ASR 9010 BNG setup
>
> Ah, now that makes more sense. Got it. Clear as mud now.
>
> aaa group server radius RADIUS_SERVER
> deadtime 40
> server-private xx.xx.xx.xx auth-port 1812 acct-port 1813
> key 7 xyzxyzxyz
> !
>
> Another question. The doc's talk about the attribute list. Looks like they
> want
> them in some sort of access-list. Is that correct? On the 1002 we have no
> such access-list
>
> Example:
> SUMMARY STEPS
> configure
> aaa group server radius name
> accounting accept radius_attribute_list_name authorization reply accept
> radius_attribute_list_name
>
>
> All we have on the 1002 is:
> aaa group server radius RADIUS_SERVER
> server xx.xx.xx.xx auth-port 1812 acct-port 1813 !
> aaa authentication login VTY_Auth_List group AAA_TACACs_Servers enable
> aaa authentication login VTY_Auth_None none aaa authentication ppp default
> group RADIUS_SERVER aaa authorization exec default group tacacs+ if-
> authenticated aaa authorization network default group RADIUS_SERVER aaa
> authorization auth-proxy default group RADIUS_SERVER aaa accounting send
> stop-record authentication failure aaa accounting send stop-record always
> aaa accounting delay-start aaa accounting nested aaa accounting update
> newinfo periodic 60 aaa accounting exec default start-stop group tacacs+ aaa
> accounting commands 0 default start-stop group tacacs+ aaa accounting
> commands 1 default start-stop group tacacs+ aaa accounting commands 15
> default start-stop group tacacs+ aaa accounting network default start-stop
> group RADIUS_SERVER aaa accounting connection default start-stop group
> RADIUS_SERVER aaa accounting system default action-type start-stop group
> RADIUS_SERVER !
> aaa accounting resource default start-stop group RADIUS_SERVER !
> aaa server radius dynamic-author
> server-key 7 xyzxyzxyz
> port 3799
> auth-type any
> !
> Then a bba-group
> sub interface layer 2 with vlan specified virtual-template
>
> and that's it. If I'm making it out to be harder than it really is, just
> ignore me.
> I'm still following the doc to get it set up. Just jumping ahead and probably
> confusing myself.
>
> Thanks,
>
>
>
> On Fri, Apr 24, 2020 at 4:11 PM Tom Chambers
> <[email protected]<mailto:[email protected]>> wrote:
> Hi,
>
> The 'server x.x.x.x auth-port Y acct-port X' command in the RADIUS server
> group is looking for an already configured public (global) server, you'll
> need to
> configure the server globally using 'radius-server host x.x.x.x auth-port Y
> acct-
> port Z' for this to work.
> Alternatively you could use 'server-private x.x.x.x auth-port Y acct-port Z'
> in
> the RADIUS server group, this will specify the server for just the group you
> are
> using and not require it to be in the global config as well.
>
> Regards,
> Tom
> -----Original Message-----
> From: cisco-nsp <[email protected]<mailto:cisco-nsp-
> [email protected]>> On Behalf Of Scott Miller
> Sent: 24 April 2020 20:21
> To: cisco-nsp <[email protected]<mailto:cisco-
> [email protected]>>
> Subject: [c-nsp] ASR 9010 BNG setup
>
> Hello all. We have an ASR9010 we're using as a PE router, and we'd like to
> migrate our PPPoE off of an ASR1002x onto the 9010. Reading the
> documentation here:
>
> https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-
> 4/bng/configuration/guide/b-bng-cg-asr9000-64x/b-bng-cg-asr9000-
> 64x_chapter_011.html
>
>
> on the Configuring RADIUS Server Group section, I enter the following, but
> get an error:
>
> RP/0/RSP0/CPU0:asbr1.kalhoc#config t
> Fri Apr 24 13:13:47.801 MDT
> RP/0/RSP0/CPU0:asbr1.kalhoc(config)#aaa group server radius
> RADIUS_SERVER RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# deadtime
> 40 RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)# source-interface
> Loopback1 RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#server xx.xx.xx.xx
> auth-port
> 1812 acct-port 1813
> RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#commit
> Fri Apr 24 13:13:58.996 MDT
>
> % Failed to commit one or more configuration items during a pseudo-atomic
> operation. All changes made have been reverted. Please issue 'show
> configuration failed [inheritance]' from this session to view the errors
> RP/0/RSP0/CPU0:asbr1.kalhoc(config-sg-radius)#
>
> if I remove the server IP line, it commits fine, but I can't add anything else
> under the aaa group server radius RADIUS_SERVER config. I see in the error
> it's an "inheritance" issue, but not seeing what I'm missing.
> Following the doc top down. And yes, Loopback1 does exist.
>
> show config:
> !
> aaa group server radius RADIUS_SERVER
> deadtime 40
> source-interface Loopback1
> !
>
> Cisco ASR9010
> Version 6.4.2
> RSP440-SE
> RP/0/RSP0/CPU0:asbr1.kalhoc#show install active Fri Apr 24 13:16:10.341
> MDT Secure Domain Router: Owner
>
> Node 0/RSP0/CPU0 [RP] [SDR: Owner]
> Boot Device: disk0:
> Boot Image:
> /disk0/asr9k-os-mbi-6.4.2.CSCvj68649-1.0.0/0x100305/mbiasr9k-rsp3.vm
> Active Packages:
> disk0:asr9k-services-infra-6.4.2
> disk0:asr9k-bng-px-6.4.2
> disk0:asr9k-doc-px-6.4.2
> disk0:asr9k-fpd-px-6.4.2
> disk0:asr9k-li-px-6.4.2
> disk0:asr9k-mcast-px-6.4.2
> disk0:asr9k-mgbl-px-6.4.2
> disk0:asr9k-mini-px-6.4.2
> disk0:asr9k-mpls-px-6.4.2
> disk0:asr9k-optic-px-6.4.2
> disk0:asr9k-services-px-6.4.2
> disk0:asr9k-video-px-6.4.2
> disk0:asr9k-k9sec-px-6.4.2
> disk0:asr9k-px-6.4.2.CSCvh04484-1.0.0
> disk0:asr9k-px-6.4.2.CSCvi41352-1.0.0
> disk0:asr9k-px-6.4.2.CSCvj53644-1.0.0
> disk0:asr9k-px-6.4.2.CSCvj60378-1.0.0
> disk0:asr9k-px-6.4.2.CSCvj68649-1.0.0
> disk0:asr9k-px-6.4.2.CSCvk28954-1.0.0
> disk0:asr9k-px-6.4.2.CSCvk68799-1.0.0
> disk0:asr9k-px-6.4.2.CSCvm95530-1.0.0
> disk0:asr9k-px-6.4.2.CSCvn15572-1.0.0
> disk0:asr9k-px-6.4.2.CSCvn20544-1.0.0
> disk0:asr9k-px-6.4.2.CSCvn71097-1.0.0
> disk0:asr9k-px-6.4.2.CSCvn81268-1.0.0
> disk0:asr9k-px-6.4.2.CSCvn92927-1.0.0
> disk0:asr9k-px-6.4.2.CSCvn95386-1.0.0
> disk0:asr9k-px-6.4.2.CSCvo03672-1.0.0
> disk0:asr9k-px-6.4.2.CSCvo42210-1.0.0
> disk0:asr9k-px-6.4.2.CSCvo43692-1.0.0
> disk0:asr9k-px-6.4.2.CSCvo47563-1.0.0
> disk0:asr9k-px-6.4.2.CSCvo48401-1.0.0
> disk0:asr9k-px-6.4.2.CSCvo64374-1.0.0
> disk0:asr9k-px-6.4.2.CSCvo90073-1.0.0
> disk0:asr9k-px-6.4.2.CSCvp25269-1.0.0
> disk0:asr9k-px-6.4.2.CSCvp52020-1.0.0
> disk0:asr9k-px-6.4.2.CSCvp53808-1.0.0
> disk0:asr9k-px-6.4.2.CSCvq07763-1.0.0
> disk0:asr9k-px-6.4.2.CSCvq08552-1.0.0
> disk0:asr9k-px-6.4.2.CSCvq27252-1.0.0
> disk0:asr9k-px-6.4.2.CSCvq41820-1.0.0
> disk0:asr9k-px-6.4.2.CSCvq55791-1.0.0
> disk0:asr9k-px-6.4.2.CSCvq61177-1.0.0
> disk0:asr9k-px-6.4.2.CSCvq75447-1.0.0
> disk0:asr9k-px-6.4.2.CSCvr23452-1.0.0
> disk0:asr9k-px-6.4.2.CSCvr29912-1.0.0
> disk0:asr9k-px-6.4.2.CSCvr58491-1.0.0
> disk0:asr9k-px-6.4.2.CSCvr62647-1.0.0
> disk0:asr9k-px-6.4.2.CSCvs00535-1.0.0
> disk0:asr9k-px-6.4.2.CSCvs03903-1.0.0
>
> Any help in where I'm going wrong already would be greatly appreciated.
>
> Scott
> _______________________________________________
> cisco-nsp mailing list [email protected]<mailto:cisco-
> [email protected]> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> This email has been scanned for all viruses.
>
> Please consider the environment before printing this email.
>
> The content of this email and any attachment is private and may be
> privileged. If you are not the intended recipient, any use, disclosure,
> copying
> or forwarding of this email and/or its attachments is unauthorised. If you
> have
> received this email in error please notify the sender by email and delete this
> message and any attachments immediately. Nothing in this email shall bind
> the Company or any of its subsidiaries or businesses in any contract or
> obligation, unless we have specifically agreed to be bound.
>
> KCOM Group Limited is a private limited company incorporated in England
> and Wales, company number 02150618 and whose registered office is at 37
> Carr Lane, Hull, HU1 3RE
>
>
>
>
> This email has been scanned for all viruses.
>
> Please consider the environment before printing this email.
>
> The content of this email and any attachment is private and may be
> privileged. If you are not the intended recipient, any use, disclosure,
> copying
> or forwarding of this email and/or its attachments is unauthorised. If you
> have
> received this email in error please notify the sender by email and delete this
> message and any attachments immediately. Nothing in this email shall bind
> the Company or any of its subsidiaries or businesses in any contract or
> obligation, unless we have specifically agreed to be bound.
>
> KCOM Group Limited is a private limited company incorporated in England
> and Wales, company number 02150618 and whose registered office is at 37
> Carr Lane, Hull, HU1 3RE
>
> _______________________________________________
> cisco-nsp mailing list [email protected]
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--- End Message ---
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
